Fri, 18 Nov 2011
Google Authenticator
For some time, I have been considering adding two-factor authentication to my systems in order to prevent break-ins in case somebody's workstation is compromised (which is a common attack vector these days). One of the systems for one-time passwords is Google Authenticator.
G-A has an application for many smart-phone platforms (Android, iOS, Blackberry), and has a PAM module, which is even packaged in Fedora. It stores users' secrets in a file in the home directory, and uses 6-digit time-based passwords and 8-digit emergency scratch passwords. The configuration in Fedora is pretty straightforward:
yum -y install google-authenticator
- In
/etc/pam.d/system-auth
andpassword-auth
, changepam_unix.so
fromsufficient
torequired
, and after that line, add the line which reads "auth sufficient pam_google_authenticator.so
". - Install the G-A application to your smartphone.
- Generate a new key using the
google-authenticator
command. - Add the key to your smartphone, either directly or using a QR code.
- Profit!
There are several problems with SSH-daemon, though:
- With SElinux enabled, it does not work.
- When public key authentication is allowed in
sshd_config
, it also does not work (use "PubkeyAuthentication no
" in/etc/ssh/sshd_config
and restartsshd
if you want to test it).
Especially the second problem is pretty serious, as I wanted to allow also public key + one-time password authentication there.
So, my dear lazyweb, what kind of two-factor authentication do you use?
2 replies for this story:
Adelton wrote:
Dan has just released post to his blog at http://danwalsh.livejournal.com/48161.html -- I did not dig deep whether it solves or just reiterates the SELinux problem thou.
Yenya wrote: Re: Adelton
Yep. The SELinux team has definitely the best response time (and attitude!) in Fedora bugzilla. There is further discussion ongoing in this BZ entry. For all interested parties, I suggest to continue discussion in that BZ.