Warning: session_start(): open(/tmp/sess_0321a281bbe48de3369cc26c420e5f07, O_RDWR) failed: No space left on device (28) in /var/www/html/inc/init.php on line 265

Warning: session_start(): Failed to read session data: files (path: ) in /var/www/html/inc/init.php on line 265

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/inc/init.php:265) in /var/www/html/inc/auth.php on line 432

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/inc/init.php:265) in /var/www/html/inc/actions.php on line 38
2_factor_ssh_authentication_with_google_authenticator [Ben's notes]

Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


2_factor_ssh_authentication_with_google_authenticator

Google Authenticator for SSH

… on CentOS 6.5

Install required packages

yum install gcc gcc++ pam-devel subversion python-devel git

Clone the source code

mkdir /root/google-authenticator; cd /root/google-authenticator
git clone https://code.google.com/p/google-authenticator/

Compile and install pam library

cd google-authenticator/libpam/ 
make && make install

Configure SSHd

vi /etc/ssh/sshd_config

PubkeyAuthentication no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes 

# GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

Configure PAM SSHd

vi /etc/pam.d/sshd

#add at top
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth   required        pam_google_authenticator.so nullok secret=/home/${USER}/.ssh/.google_authenticator

Edit /etc/security/access-local.conf

Don't use Google Authenticator for local subnet 192.168.1.0/24

vi /etc/security/access-local.conf
+ : ALL : 192.168.1.0/24
+ : ALL : LOCAL
- : ALL : ALL

Configure Google Authenticator for user

Read and answer the yes/no questions. After setup, the user will have a .google_authenticator file in the home directory.

The command will also create a URL and/or a QR code. With Google Authenticator on your mobile phone, capture the QR. It will create a new account automatically.

google-authenticator
  
mv /home/${USER}/.google_authenticator /home/${USER}/.ssh/.google_authenticator
restorecon -Rv /home/${USER}

Restart SSHD

service sshd restart
2_factor_ssh_authentication_with_google_authenticator.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1