This article is being updated. Please be aware the content herein, not limited to version numbers and slight syntax changes, may not match the output from the most recent versions of Bright. This notation will be removed when the content has been updated. This article, in particular, needs to be updated as it contains references to cmgui, which is not functional in versions of Bright Cluster Manager newer than v7.3.
Yes, Google Authenticator can be used to connect to the cluster via SSH and cmgui. Google Authenticator will not work with the user portal.
Getting the RPMs:
For RHEL:
Either Fedora’s EPEL repository should be enabled, or the RPMs from EPEL should be downloaded manually. The EPEL repository can be enabled as follows:
# sudo yum install epel-release
Or, for various versions of RHEL/CentOS, you can install the EPEL rpm:
- RHEL/CentOS 6:
# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
- RHEL/CentOS 7:
# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
- On RHEL 7 it is recommended to also enable the optional, extras, and HA repositories since EPEL packages may depend on packages from these repositories:
# subscription-manager repos --enable "rhel-*-optional-rpms" --enable "rhel-*-extras-rpms" --enable "rhel-ha-for-rhel-*-server-rpms"
- RHEL/CentOS 8:
# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
- On RHEL 8 it is required to also enable the codeready-builder-for-rhel-8-*-rpms repository since EPEL packages may depend on packages from it:
# ARCH=$( /bin/arch )
# subscription-manager repos --enable "codeready-builder-for-rhel-8-${ARCH}-rpms"
- On CentOS 8 it is recommended to also enable the PowerTools repository since EPEL packages may depend on packages from it:
# dnf config-manager --set-enabled PowerTools
For SLES:
The pre-packages PAM module can be downloaded from :
https://software.opensuse.org/package/google-authenticator-libpam
Installing the PAM module:
# yum install google-authenticator
or (one line):
# zypper in https://build.opensuse.org/package/binary/security/pam-google-authenticator?arch=x86_64&filename=pam-google-authenticator-1.0-1.1.x86_64.rpm&repository=SLE_11_SP3Configuring the SSH server:
In /etc/ssh/sshd_config ensure the settings match the following:
PasswordAuthentication yes
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
UsePAM yes
Configure PAM:
In the PAM file /etc/pam.d/system-auth, a new line will need to be added at the top: auth required pam_env.so
auth required pam_google_authenticator.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
…
Configure the authenticator for a given account:
[root@test ~]# google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://tot/root@kerndev%3Fsecret%3DE6DCBKDAYAIKOYXB
Your new secret key is: E6DCBKDAYAIKOYXB
Your verification code is 070897
Your emergency scratch codes are:
67033152
45278292
79225657
85389256
51451688
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) yFollowing the link in the text above displays a QR code image in the web browser.
This image can be scanned with a smartphone or tablet camera with the Google Authenticator app.
The next time the system is logged into, a Google Authenticator verification code will be required:
root@darkstar:~# ssh root@kerndev
Verification code:
Password:
Last login: Tue May 27 12:28:54 2014 from somehost.brightcomputing.com
Welcome to Bright Cluster Manager 7.0When connecting to CMGUI an extra dialog window will pop-up prompting for the Google Authenticator verification code:
SELINUX:
If using SELINUX, the following line in the PAM configuration file should be used (one line):
auth required pam_google_authenticator.so nullok secret=/home/${USER}/.ssh/.google_authenticatorHere:nullok tells PAM to accept null if the user does not have the Google Authenticator configured. In other words, users without dual-factor configured can still log in.
secret= … gives PAM access to the needed key file, even with SELinux installed.
After that, the file .google_authenticator must be moved to the .ssh folder of the user. The folder may need to be created. It is best to do this as the user.
$ mv /home/<username>/.google_authenticator /home/<username>/.ssh/.google_authenticatorThe administrator should then start the daemons:# service sshd restart# service cmd restart
Additional tip:
Encrypting the storage of the Android device is recommended, because the secret key of google authenticator is kept on the device. Encryption of android storage comes with standard Android.