Categories

ID #1198

Can I use Google Authenticator to connect to my cluster?

Can I use Google Authenticator to connect to my cluster?

 

 

Yes, Google Authenticator can be used to connect to the cluster via SSH and cmgui. Google Authenticator will not work with the user portal.

 

Getting the RPMs:

For RHEL:

Either Fedora's EPEL repository should be enabled, or the RPMs from EPEL should be downloaded manually. The EPEL repository can be enabled as follows:

# wget http://mirror.symnds.com/distributions/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
# yum localinstall epel-release-6-8.noarch.rpm

For SLES:

The pre-packages PAM module can be downloaded from :

https://build.opensuse.org/package/binaries/security/pam-google-authenticator?repository=SLE_11_SP3

 

Installing the PAM module:

# yum install google-authenticator
 or (one line):

# zypper in https://build.opensuse.org/package/binary/security/pam-google-authenticator?arch=x86_64&filename=pam-google-authenticator-1.0-1.1.x86_64.rpm&repository=SLE_11_SP3

 

Configuring the SSH server:

In /etc/ssh/sshd_config ensure the settings match the following:

PasswordAuthentication yes 
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

UsePAM yes

Configure PAM:
In the PAM file /etc/pam.d/system-auth, a new line will need to be added at the top: 

auth required pam_env.so
auth required pam_google_authenticator.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

...

Configure the authenticator for a given account:

[root@test ~]# google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://tot/root@kerndev%3Fsecret%3DE6DCBKDAYAIKOYXB
Your new secret key is: E6DCBKDAYAIKOYXB
Your verification code is 070897
Your emergency scratch codes are:

67033152

45278292

79225657

85389256

51451688

 

Do you want me to update your "~/.google_authenticator" file (y/n) y


Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n

 

If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

 

Following the link in the text above displays a QR code image in the web browser.

 

This image can be scanned with a smartphone or tablet camera with the Google Authenticator app.
The next time the system is logged into, a Google Authenticator verification code will be required:

root@darkstar:~# ssh root@kerndev
Verification code:

Password:

Last login: Tue May 27 12:28:54 2014 from somehost.brightcomputing.com

Welcome to Bright Cluster Manager 7.0


When connecting to CMGUI an extra dialog window will pop-up prompting for the Google Authenticator verification code:
SELINUX:
If using SELINUX, the following line in the PAM configuration file should be used (one line):

auth   required        pam_google_authenticator.so nullok secret=/home/${USER}/.ssh/.google_authenticator

Here:
nullock                  tells PAM to accept null if the user does not have the Google Authenticator configured. In other words, users without dual-factor configured can still log in.
secret= ...              gives PAM access to the needed key file, even with SELinux installed. 

After that,  the file
.google_authenticator must be moved to the .ssh folder of the user. The folder may need to be created. It is best to do this as the user.
$ mv /home/<username>/.google_authenticator /home/<username>/.ssh/.google_authenticator
The administrator should then start the daemons:
# service sshd restart
# service cmd restart 
Additional tip:
Encrypting the storage of the Android device is recommended, because the secret key of google authenticator is kept on the device. Encryption of android storage comes with standard Android.

Categories for this entry

Tags: -

Related entries:

You cannot comment on this entry