Difference between revisions of "Google Authenticator"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
Line 6: | Line 6: | ||
http://wiki.freeradius.org/guide/Basic-configuration-HOWTO<br> | http://wiki.freeradius.org/guide/Basic-configuration-HOWTO<br> | ||
<br> | <br> | ||
− | *<b> | + | *<b>UPDATE 1 :</b> Ran into an issue following VMWare's outdated instructions. Will have to go back and find out what has changed. |
− | + | *<b>UPDATE 2 :</b> I believe I have found the problem, and it would be the use of the pam_lsass.so module. It was starring me straight in the face and I missed it. I have not given up on this but I did quickly realize that I would be the only one in the company that would know how any of this works. <s>Not worth it.</s> | |
+ | *<b>UPDATE 3 :</b> This is still a live project and will be completed in the next week or two. Have to deal with other projects first. | ||
+ | *<b>UPDATE 4:</b> When I did decided to go back and make the required changes I found a site<ref>https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator</ref> that outlines everything I had debugged. It also showed I was right about the PAM modules. At least I know I learned something correctly. Next step is to go back over the steps and create an installation script. | ||
==CentOS 7== | ==CentOS 7== |
Revision as of 17:35, 22 September 2016
https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04
http://freeradius.1045715.n5.nabble.com/Defining-an-Auth-Type-based-on-a-realm-td3208012.html
http://stackoverflow.com/questions/19021487/freeradius-google-dual-factor-authenticator-pam
http://lists.freeradius.org/pipermail/freeradius-users/2010-May/046799.html
http://www.supertechguy.com/help/security/freeradius-google-auth
http://wiki.freeradius.org/guide/Basic-configuration-HOWTO
- UPDATE 1 : Ran into an issue following VMWare's outdated instructions. Will have to go back and find out what has changed.
- UPDATE 2 : I believe I have found the problem, and it would be the use of the pam_lsass.so module. It was starring me straight in the face and I missed it. I have not given up on this but I did quickly realize that I would be the only one in the company that would know how any of this works.
Not worth it. - UPDATE 3 : This is still a live project and will be completed in the next week or two. Have to deal with other projects first.
- UPDATE 4: When I did decided to go back and make the required changes I found a site[1] that outlines everything I had debugged. It also showed I was right about the PAM modules. At least I know I learned something correctly. Next step is to go back over the steps and create an installation script.
CentOS 7
yum install -y git autoconf automake make libtool pam-devel
nano /etc/yum.repos.d/pbis.repo
[PBISO] name=PBISO baseurl=http://repo.pbis.beyondtrust.com/yum/pbiso/$basearch enabled=1 gpgcheck=0
yum -y install pbis-opengit clone https://github.com/google/google-authenticator cd google-authenticator/libpam ./bootstrap.sh ./configure ./make ./make install ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so yum install freeradius ln -s /etc/raddb/mods-enabled/pam /etc/raddb/mods-available/pam sed -i 's/user = freerad/user = root/' /etc/raddb/radiusd.conf sed -i 's/group = freerad/group - root/' /etc/raddb/radiusd.conf nano /etc/raddb/users
DEFAULT Group == “GG_S_GOOGLE_AUTH_DISABLED”, Auth-Type := Reject Reply-Message = “Your account has been disabled.” DEFAULT Auth-Type := PAM
sed -i "s/^#\\tpam/\\tpam/" /etc/raddb/sites-enabled/default
Comment out all lines in /etc/pam.d/radiusd then add the following
echo "auth requisite pam_google_authenticator.so forward_pass" >> /etc/pam.d/radiusd echo "auth required pam_sss.so use_first_pass" >> /etc/pam.d/radiusd
Ubuntu 16.04 LTS
sudo wget http://download.beyondtrust.com/PBISO/8.0.1/linux.deb.x64/pbis-open-8.0.1.2029.linux.x86_64.deb.sh git clone https://github.com/google/google-authenticator cd google-authenticator/libpam/ sudo apt install dh-autoreconf sudo ./bootstrap.sh ./configure sudo make sudo make install sudo apt install freeradius sudo sed -i 's/^user\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf sudo nano /etc/freeradius/users
# # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # DEFAULT Group == “CSP-VMWare.GoogleAuth”, Auth-Type := Reject Reply-Message = “Your account has been disabled.” DEFAULT Auth-Type := PAM #
sudo sed -i 's/^#\ \ \ \ \ \ \ pam/\ \ \ \ \ \ \ \ pam/' /etc/freeradius/sites-enabled/default sudo nano /etc/pam.d/radiusd
# # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS # # We fall back to the system default in /etc/pam.d/common-* # #@include common-auth #@include common-account #@include common-password #@include common-session auth requisite pam_google_authenticator.so forward_pass auth required pam_lsass.so use_first_pass
sudo systemctl start freeradius sudo nano /etc/freeradius/clients.conf
- Modify the following to match your environment
#client some.host.org { # secret = testing123 # shortname = localhost #}
ie
client vcs-vdi-my.domain.com { secret = Imadeasecret! shortname = vcs }
sudo nano /etc/freeradius/proxy.conf
realm your.domain.com { }
sudo systemctl restart freeradius
- ↑ https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator
- ↑ https://www.linuxsysadmintutorials.com/setup-sudo-with-google-authenticator-for-2-factor-authentication-on-centos-7.html
- ↑ https://community.spiceworks.com/how_to/80336-join-ubuntu-14-04lts-to-a-windows-domain-using-pbis-open