Difference between revisions of "Google Authenticator"

From Michael's Information Zone
Jump to navigation Jump to search
Line 37: Line 37:
 
  sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf
 
  sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf
 
  sudo nano /etc/freeradius/users
 
  sudo nano /etc/freeradius/users
#
+
<pre>
# Deny access for a group of users.
+
#
#
+
# Deny access for a group of users.
# Note that there is NO 'Fall-Through' attribute, so the user will not
+
#
# be given any additional resources.
+
# Note that there is NO 'Fall-Through' attribute, so the user will not
#
+
# be given any additional resources.
#DEFAULT        Group == "disabled", Auth-Type := Reject
+
#
#              Reply-Message = "Your account has been disabled."
+
#DEFAULT        Group == "disabled", Auth-Type := Reject
#
+
#              Reply-Message = "Your account has been disabled."
DEFAULT Group == “CSP-VMWare.GoogleAuth”, Auth-Type := Reject
+
#
Reply-Message = “Your account has been disabled.”
+
DEFAULT Group == “CSP-VMWare.GoogleAuth”, Auth-Type := Reject
DEFAULT Auth-Type := PAM
+
Reply-Message = “Your account has been disabled.”
+
DEFAULT Auth-Type := PAM
#
+
 
 +
#
 +
</pre>

Revision as of 11:34, 18 August 2016

CentOS 7

https://www.linuxsysadmintutorials.com/setup-sudo-with-google-authenticator-for-2-factor-authentication-on-centos-7.html

yum install -y git autoconf automake make libtool pam-devel
git clone https://github.com/google/google-authenticator
cd google-authenticator/libpam
./bootstrap.sh
./configure
./make
./make install
ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
yum install freeradius
ln -s /etc/raddb/mods-enabled/pam /etc/raddb/mods-available/pam
sed -i 's/user = freerad/user = root/' /etc/raddb/radiusd.conf
sed -i 's/group = freerad/group - root/' /etc/raddb/radiusd.conf
nano /etc/raddb/users
DEFAULT Group == “GG_S_GOOGLE_AUTH_DISABLED”, Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
DEFAULT Auth-Type := PAM
sed -i 's/^#\ \ \ \ \ \ \ pam/\ \ \ \ \ \ \ \ pam/' /etc/raddb/sites-enabled/default

Comment out all lines in /etc/pam.d/radiusd then add the following

echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/radiusd
echo auth required pam_lsass.so use_first_pass >> /etc/pam.d/radiusd

Ubuntu 16.04 LTS

sudo wget http://download.beyondtrust.com/PBISO/8.0.1/linux.deb.x64/pbis-open-8.0.1.2029.linux.x86_64.deb.sh
git clone https://github.com/google/google-authenticator
cd google-authenticator/libpam/
sudo apt install dh-autoreconf
sudo ./bootstrap.sh
./configure
sudo make
sudo make install
sudo apt install freeradius
sudo sed -i 's/^user\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf
sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf
sudo nano /etc/freeradius/users
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT        Group == "disabled", Auth-Type := Reject
#               Reply-Message = "Your account has been disabled."
#
DEFAULT Group == “CSP-VMWare.GoogleAuth”, Auth-Type := Reject
Reply-Message = “Your account has been disabled.”
DEFAULT Auth-Type := PAM

#