ITisOpen.net

One Time Password - CentOS 6.4 + SSH Howto - Part 1

21 August 2013

This first release of the tutorial simply gathers the various steps and commands used to setup One Time Password Authentication on CentOS 6.4 host and configuring SSH to use it. When I get more time, I may rewrite in as a more complete tutorial article.

The solution is based on:

  1. Google Authenticator - Wiki and google-authenticator on code.google.com
  2. libqrencode

Step one: make sure your host clock is synchronized

$ sudo yum install ntp
$ sudo chkconfig ntpd on
$ sudo ntpdate pool.ntp.org
$ sudo /etc/init.d/ntpd start

Step two: install required build tools

$ yum install gcc gcc++ git pam-devel

Google Authenticator will display a QR-code on your terminal if libqrencode can be found when you’ll compile the source code. I quickly tried to compile it on my lab machine but did not succeed. I decided to focus on this tutorial and will come back later to this problem. If want to try to compile it by yourself, the source can be found on GitHub

For now, the package available at RPMforge will do the trick!

$ sudo yum install http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
$ sudo yum install libqrencode

Step three: get and build the PAM OTP module source code (Google Authenticator)

$ cd $DEVDIR
$ git clone https://code.google.com/p/google-authenticator/
$ cd google-authenticator/libpam

If you enabled SElinux on your host, you might want to change the location of the file containing the secret and others tunables in two C source files. The reason for this is that with SElinux activated, the PAM module will not be able to access the file containing the secret and thus, won"t let you in… One way to fix it is to relocate the file in the $HOME/.ssh/ directory and associate the file with the SSH SElinux security context.

Start with the file google-authenticator.c and search for the SECRET macro definition. In the version used at time of writing it can be found at line 38 and looks like this.

#define SECRET                    "/.google_authenticator"

and change it to

#define SECRET                    "$HOME/.ssh/.google_authenticator"

The other file is pam_google_authenticator.c and the SECRET macro definition is at line 58 (again at time of writing…) and looks like this.

#define SECRET                    "~/.google_authenticator"

Again, change it to the following.

#define SECRET                    "$HOME/.ssh/.google_authenticator"

The next steps are described in Part 2

blog comments powered by Disqus