Fri, 18 Nov 2011
Google Authenticator
For some time, I have been considering adding two-factor authentication to my systems in order to prevent break-ins in case somebody's workstation is compromised (which is a common attack vector these days). One of the systems for one-time passwords is Google Authenticator.
G-A has an application for many smart-phone platforms (Android, iOS, Blackberry), and has a PAM module, which is even packaged in Fedora. It stores users' secrets in a file in the home directory, and uses 6-digit time-based passwords and 8-digit emergency scratch passwords. The configuration in Fedora is pretty straightforward:
yum -y install google-authenticator- In
/etc/pam.d/system-authandpassword-auth, changepam_unix.sofromsufficienttorequired, and after that line, add the line which reads "auth sufficient pam_google_authenticator.so". - Install the G-A application to your smartphone.
- Generate a new key using the
google-authenticatorcommand. - Add the key to your smartphone, either directly or using a QR code.
- Profit!
There are several problems with SSH-daemon, though:
- With SElinux enabled, it does not work.
- When public key authentication is allowed in
sshd_config, it also does not work (use "PubkeyAuthentication no" in/etc/ssh/sshd_configand restartsshdif you want to test it).
Especially the second problem is pretty serious, as I wanted to allow also public key + one-time password authentication there.
So, my dear lazyweb, what kind of two-factor authentication do you use?
2 replies for this story:
Adelton wrote:
Dan has just released post to his blog at http://danwalsh.livejournal.com/48161.html -- I did not dig deep whether it solves or just reiterates the SELinux problem thou.
Yenya wrote: Re: Adelton
Yep. The SELinux team has definitely the best response time (and attitude!) in Fedora bugzilla. There is further discussion ongoing in this BZ entry. For all interested parties, I suggest to continue discussion in that BZ.