Difference between revisions of "Google Authenticator"

From Michael's Information Zone
Jump to navigation Jump to search
m
Line 10: Line 10:
  
 
==CentOS 7==
 
==CentOS 7==
https://www.linuxsysadmintutorials.com/setup-sudo-with-google-authenticator-for-2-factor-authentication-on-centos-7.html
+
<ref>https://www.linuxsysadmintutorials.com/setup-sudo-with-google-authenticator-for-2-factor-authentication-on-centos-7.html</ref>
  
 
  yum install -y git autoconf automake make libtool pam-devel
 
  yum install -y git autoconf automake make libtool pam-devel

Revision as of 17:37, 7 September 2016

https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04
http://freeradius.1045715.n5.nabble.com/Defining-an-Auth-Type-based-on-a-realm-td3208012.html
http://stackoverflow.com/questions/19021487/freeradius-google-dual-factor-authenticator-pam
http://lists.freeradius.org/pipermail/freeradius-users/2010-May/046799.html
http://www.supertechguy.com/help/security/freeradius-google-auth
http://wiki.freeradius.org/guide/Basic-configuration-HOWTO

  • Quick note about this article: I believe I have found the problem, and it would be the use of the pam_lsass.so module. It was starring me straight in the face and I missed it. I have not given up on this but I did quickly realize that I would be the only one in the company that would know how any of this works. Not worth it.
  • This is still a live project and will be completed in the next week or two. Have to deal with other projects first.

CentOS 7

[1]

yum install -y git autoconf automake make libtool pam-devel
nano /etc/yum.repos.d/pbis.repo
[PBISO]
name=PBISO
baseurl=http://repo.pbis.beyondtrust.com/yum/pbiso/$basearch
enabled=1
gpgcheck=0
yum -y install pbis-open
git clone https://github.com/google/google-authenticator
cd google-authenticator/libpam
./bootstrap.sh
./configure
./make
./make install
ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
yum install freeradius
ln -s /etc/raddb/mods-enabled/pam /etc/raddb/mods-available/pam
sed -i 's/user = freerad/user = root/' /etc/raddb/radiusd.conf
sed -i 's/group = freerad/group - root/' /etc/raddb/radiusd.conf
nano /etc/raddb/users
DEFAULT Group == “GG_S_GOOGLE_AUTH_DISABLED”, Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
DEFAULT Auth-Type := PAM
sed -i 's/^#\ \ \ \ \ \ \ pam/\ \ \ \ \ \ \ \ pam/' /etc/raddb/sites-enabled/default

Comment out all lines in /etc/pam.d/radiusd then add the following

echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/radiusd
echo auth required pam_lsass.so use_first_pass >> /etc/pam.d/radiusd

Ubuntu 16.04 LTS

https://community.spiceworks.com/how_to/80336-join-ubuntu-14-04lts-to-a-windows-domain-using-pbis-open

sudo wget http://download.beyondtrust.com/PBISO/8.0.1/linux.deb.x64/pbis-open-8.0.1.2029.linux.x86_64.deb.sh
git clone https://github.com/google/google-authenticator
cd google-authenticator/libpam/
sudo apt install dh-autoreconf
sudo ./bootstrap.sh
./configure
sudo make
sudo make install
sudo apt install freeradius
sudo sed -i 's/^user\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf
sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf
sudo nano /etc/freeradius/users
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT        Group == "disabled", Auth-Type := Reject
#               Reply-Message = "Your account has been disabled."
#
DEFAULT Group == “CSP-VMWare.GoogleAuth”, Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
DEFAULT Auth-Type := PAM

#
sudo sed -i 's/^#\ \ \ \ \ \ \ pam/\ \ \ \ \ \ \ \ pam/' /etc/freeradius/sites-enabled/default
sudo nano /etc/pam.d/radiusd
#
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#

# We fall back to the system default in /etc/pam.d/common-*
#

#@include common-auth
#@include common-account
#@include common-password
#@include common-session
auth requisite pam_google_authenticator.so forward_pass
auth required pam_lsass.so use_first_pass
sudo systemctl start freeradius
sudo nano /etc/freeradius/clients.conf
  • Modify the following to match your environment
#client some.host.org {
#       secret          = testing123
#       shortname       = localhost
#}

ie

client vcs-vdi-my.domain.com {
       secret          = Imadeasecret!
       shortname       = vcs
}
sudo nano /etc/freeradius/proxy.conf

realm your.domain.com { }

sudo systemctl restart freeradius