Difference between revisions of "Google Authenticator"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
Line 71: | Line 71: | ||
</pre> | </pre> | ||
sudo systemctl start freeradius | sudo systemctl start freeradius | ||
+ | sudo nano /etc/freeradius/clients.conf | ||
+ | *Modify the following to match your environment | ||
+ | <pre> | ||
+ | #client some.host.org { | ||
+ | # secret = testing123 | ||
+ | # shortname = localhost | ||
+ | #} | ||
+ | </pre> | ||
+ | ie | ||
+ | <pre> | ||
+ | client vcs-vdi-my.domain.com { | ||
+ | secret = Imadeasecret! | ||
+ | shortname = vcs | ||
+ | } | ||
+ | </pre> |
Revision as of 11:47, 18 August 2016
CentOS 7
yum install -y git autoconf automake make libtool pam-devel git clone https://github.com/google/google-authenticator cd google-authenticator/libpam ./bootstrap.sh ./configure ./make ./make install ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so yum install freeradius ln -s /etc/raddb/mods-enabled/pam /etc/raddb/mods-available/pam sed -i 's/user = freerad/user = root/' /etc/raddb/radiusd.conf sed -i 's/group = freerad/group - root/' /etc/raddb/radiusd.conf nano /etc/raddb/users
DEFAULT Group == “GG_S_GOOGLE_AUTH_DISABLED”, Auth-Type := Reject Reply-Message = “Your account has been disabled.” DEFAULT Auth-Type := PAM
sed -i 's/^#\ \ \ \ \ \ \ pam/\ \ \ \ \ \ \ \ pam/' /etc/raddb/sites-enabled/default
Comment out all lines in /etc/pam.d/radiusd then add the following
echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/radiusd echo auth required pam_lsass.so use_first_pass >> /etc/pam.d/radiusd
Ubuntu 16.04 LTS
sudo wget http://download.beyondtrust.com/PBISO/8.0.1/linux.deb.x64/pbis-open-8.0.1.2029.linux.x86_64.deb.sh git clone https://github.com/google/google-authenticator cd google-authenticator/libpam/ sudo apt install dh-autoreconf sudo ./bootstrap.sh ./configure sudo make sudo make install sudo apt install freeradius sudo sed -i 's/^user\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf sudo nano /etc/freeradius/users
# # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # DEFAULT Group == “CSP-VMWare.GoogleAuth”, Auth-Type := Reject Reply-Message = “Your account has been disabled.” DEFAULT Auth-Type := PAM #
sudo sed -i 's/^#\ \ \ \ \ \ \ pam/\ \ \ \ \ \ \ \ pam/' /etc/freeradius/sites-enabled/default sudo nano /etc/pam.d/radiusd
# # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS # # We fall back to the system default in /etc/pam.d/common-* # #@include common-auth #@include common-account #@include common-password #@include common-session auth requisite pam_google_authenticator.so forward_pass auth required pam_lsass.so use_first_pass
sudo systemctl start freeradius sudo nano /etc/freeradius/clients.conf
- Modify the following to match your environment
#client some.host.org { # secret = testing123 # shortname = localhost #}
ie
client vcs-vdi-my.domain.com { secret = Imadeasecret! shortname = vcs }