Difference between revisions of "Google Authenticator"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
Line 37: | Line 37: | ||
sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf | sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf | ||
sudo nano /etc/freeradius/users | sudo nano /etc/freeradius/users | ||
− | + | <pre> | |
− | + | # | |
− | + | # Deny access for a group of users. | |
− | + | # | |
− | + | # Note that there is NO 'Fall-Through' attribute, so the user will not | |
− | + | # be given any additional resources. | |
− | + | # | |
− | + | #DEFAULT Group == "disabled", Auth-Type := Reject | |
− | + | # Reply-Message = "Your account has been disabled." | |
− | + | # | |
− | + | DEFAULT Group == “CSP-VMWare.GoogleAuth”, Auth-Type := Reject | |
− | + | Reply-Message = “Your account has been disabled.” | |
− | + | DEFAULT Auth-Type := PAM | |
− | + | ||
+ | # | ||
+ | </pre> |
Revision as of 11:34, 18 August 2016
CentOS 7
yum install -y git autoconf automake make libtool pam-devel git clone https://github.com/google/google-authenticator cd google-authenticator/libpam ./bootstrap.sh ./configure ./make ./make install ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so yum install freeradius ln -s /etc/raddb/mods-enabled/pam /etc/raddb/mods-available/pam sed -i 's/user = freerad/user = root/' /etc/raddb/radiusd.conf sed -i 's/group = freerad/group - root/' /etc/raddb/radiusd.conf nano /etc/raddb/users
DEFAULT Group == “GG_S_GOOGLE_AUTH_DISABLED”, Auth-Type := Reject Reply-Message = “Your account has been disabled.” DEFAULT Auth-Type := PAM
sed -i 's/^#\ \ \ \ \ \ \ pam/\ \ \ \ \ \ \ \ pam/' /etc/raddb/sites-enabled/default
Comment out all lines in /etc/pam.d/radiusd then add the following
echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/radiusd echo auth required pam_lsass.so use_first_pass >> /etc/pam.d/radiusd
Ubuntu 16.04 LTS
sudo wget http://download.beyondtrust.com/PBISO/8.0.1/linux.deb.x64/pbis-open-8.0.1.2029.linux.x86_64.deb.sh git clone https://github.com/google/google-authenticator cd google-authenticator/libpam/ sudo apt install dh-autoreconf sudo ./bootstrap.sh ./configure sudo make sudo make install sudo apt install freeradius sudo sed -i 's/^user\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf sudo nano /etc/freeradius/users
# # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # DEFAULT Group == “CSP-VMWare.GoogleAuth”, Auth-Type := Reject Reply-Message = “Your account has been disabled.” DEFAULT Auth-Type := PAM #