One Time Password - CentOS 6.4 + SSH Howto - Part 2
This is the second part of the tutorial. The first part is available here.
Step four: install the PAM OTP module
Step five: configure PAM to use the Google Authenticator OTP module
If you have SElinux enabled and patched the code as described above, add a call to the Google Authenticator PAM module in the PAM SSH configuration file as follow:
If you did not patch the file, use the following.
Step six: configure SSH to use PAM and ChallengeResponseAuthentication
The first change will ensure sshd calls the PAM hook which will activate the Google Authenticator module. Find the UsePAM directive and make sure it is set to ‘yes’
Next, we activate the ChallengeResponseAuthentication option.
Finally, you can decide to disable public key authentication method to force the users to always use One Time Password.
Step seven: Create pre-shared secret
Next we need to define a pre-shared secret between a user and the OTP device. In my case I will use the Google Authenticator smartphone application. So lets run the second component that was installed when you ran ‘make install’…
If libqrencode was found at compile time, a QR-code will also be displayed below the URL.
Step eight: configure the secret on your OTP devide
Different options:
- configure it manually or better…
- scan the QR-code if your OTP device can to it!
If no QR-code were displayed in your terminal, you can copy/paste the URL in your browser to generate one!
Step nine: if you have SElinux enabled…
If SElinux is enabled, fix the permission with the following command found here.
Step ten: debug?
If you have trouble, open another terminal and have a look to the log file while attempting to connect…
blog comments powered by Disqus