One Time Password - CentOS 6.4 + SSH Howto - Part 2
This is the second part of the tutorial. The first part is available here.
Step four: install the PAM OTP module
$ sudo make install
Step five: configure PAM to use the Google Authenticator OTP module
If you have SElinux enabled and patched the code as described above, add a call to the Google Authenticator PAM module in the PAM SSH configuration file as follow:
$ sudo sed -i -e '3iauth required pam_google_authenticator.so nullok secret=/home/${USER}/.ssh/.google_authenticator' /etc/pam.d/sshd
If you did not patch the file, use the following.
$ sudo sed -i -e '3iauth required pam_google_authenticator.so' /etc/pam.d/sshd
Step six: configure SSH to use PAM and ChallengeResponseAuthentication
The first change will ensure sshd calls the PAM hook which will activate the Google Authenticator module. Find the UsePAM directive and make sure it is set to ‘yes’
UsePAM yes
Next, we activate the ChallengeResponseAuthentication option.
ChallengeResponseAuthentication yes
Finally, you can decide to disable public key authentication method to force the users to always use One Time Password.
PubkeyAuthentication no
Step seven: Create pre-shared secret
Next we need to define a pre-shared secret between a user and the OTP device. In my case I will use the Google Authenticator smartphone application. So lets run the second component that was installed when you ran ‘make install’…
./google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/demo@testhost.itisopen.net%3Fsecret%XXXXXXXXXXXXXXXXX
Your new secret key is: XXXXXXXXXXXXXXXXX
Your verification code is 993048
Your emergency scratch codes are:
51662819
42444725
60400015
87533609
44270197
Do you want me to update your "/home/demo/.ssh/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
If libqrencode was found at compile time, a QR-code will also be displayed below the URL.
Step eight: configure the secret on your OTP devide
Different options:
- configure it manually or better…
- scan the QR-code if your OTP device can to it!
If no QR-code were displayed in your terminal, you can copy/paste the URL in your browser to generate one!
Step nine: if you have SElinux enabled…
If SElinux is enabled, fix the permission with the following command found here.
chcon -R -t ssh_home_t $HOME/.ssh/.google_authenticator
Step ten: debug?
If you have trouble, open another terminal and have a look to the log file while attempting to connect…
tail -f /var/log/secure
blog comments powered by Disqus