I started reading over
http://blog.adslweb.net/serendipity/article/286/CentOS-5-enabling-Two-factor-SSH-authentication-via-Google
Enabling the EPEL repo seems to want to break samba-api
A requirement is to install mercurial then edit the make file but I can not figure out where it is
Anyone tried building mercurial from source and using Google authenticator?
See this post to get it working
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,40/func,view/id,35178/limit,10/limitstart,10/#35543
http://blog.adslweb.net/serendipity/article/286/CentOS-5-enabling-Two-factor-SSH-authentication-via-Google
Enabling the EPEL repo seems to want to break samba-api
A requirement is to install mercurial then edit the make file but I can not figure out where it is
Anyone tried building mercurial from source and using Google authenticator?
See this post to get it working
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,40/func,view/id,35178/limit,10/limitstart,10/#35543
Share this post:
Responses (14)
-
Accepted Answer
-
Accepted Answer
You might have a look at this wordpress plugin here which lets you use google auth with a wordpress blog. -
Accepted Answer
-
Accepted Answer
What is Google Authenticator
http://code.google.com/p/google-authenticator/
Overview
The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).
These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm currently in draft.
Ever seen those nifty RSA tokens well the following will give you that same functionality in addition to having your ssh password.
A couple of warnings. Open two ssh sessions, the reasoning is that if you get this wrong you will lock yourself out of your own system remotely, use the second session to remove or make changes to sshd and pam
Next for those of you running clearos in a vm you need to account for time shift.
This install is meant for a clearos 5.2 clean install
You will need bob's ClearOS-CentOS-Base.5.7.repo
cd /etc/yum.repos.d
wget https://www.whataboutbob.org/downloads/clearos/ClearOS-CentOS-Base.5.7.repo
cd ~/
mkdir downloads
cd downloads/
wget http://www.whataboutbob.org/downloads/clearos/ClearOS_to_CentOS_v0.4.sh
chmod a+x ClearOS_to_CentOS_v0.4.sh
./ClearOS_to_CentOS_v0.4.sh
then run
yum update
When I installed a couple of components it complained about python so update python I went with python26
touch /etc/yum.repos.d/geekymedia.repo
nano /etc/yum.repos.d/geekymedia.repo
Add
[geekymedia-current]
name=Geekymedia CentOS EL5 Repository - Current
baseurl=http://mirrors.geekymedia.com/centos/
enabled=1
gpgcheck=0
Save the file
then
yum update
yum install python26
once updated install some dependencies I have added a couple just in case I needed them
yum install gcc gcc++ pam-devel subversion
Now we need to download and install mercurial
wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-1.9.2-1.el5.rf.i386.rpm
wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-hgk-1.9.2-1.el5.rf.i386.rpm
wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-ssh-1.9.2-1.el5.rf.i386.rpm
rpm -Uvh mercurial*
Make a directory for the authenticator
mkdir ./google-authenticator
cd google-authenticator/
Download the SVN for google authenticator
hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/
cd google-authenticator/
Run make and make install
make && make install
Now we need to configure Pam auth
nano /etc/pam.d/sshd
change
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
to
#%PAM-1.0
auth required pam_google_authenticator.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
Now we need to edit the ssh daemon configuration file
nano /etc/ssh/sshd_config
uncomment
ChallengeResponseAuthentication yes
comment
#ChallengeResponseAuthentication no
Ensure that
UsePAM yes
STOP make sure that second SSH session is working because you can then edit /etc/ssh/sshd_config & /etc/pam.d/sshd if something goes wrong. Otherwise you are going to need to make these changes on the local console
Restart the SSH daemon
service sshd restart
Then run the google authenticator
google-authenticator
example
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB
Your new secret key is: SAEP64T5VZAVWAFB
Your verification code is 376046
Your emergency scratch codes are:
67868696
26247332
54815527
54336661
Answer each of the question to best suit your needs
So you need to now download the authenticator apps via either the apple app store or android marketplace
Start the app
In your phone select time based
For account use ssh enabled user i.e. root
Account: root@clearosipgoeshere
Key: SAEP64T5VZAVWAFB
It should then accept the secert key and will generate a new one every 30seconds
Once fail2ban gets added to clearOS as an app combined with this its going to be pretty hard to get into a clearOS system
Have fun -
Accepted Answer
Oh yeah, the repo file....
I moved some stuff around on the server to get it a bit more organised.
Look here. -
Accepted Answer
Ok, you've been busy.
You can use that repo file on a previously patched ClearOS 5.2 box, but be careful that you don't upgrade anything to do with LDAP, OpenVPN, or much of the specialised ClearOS packages.
What I have used it for is to install packages that aren't available in the traditional ClearOS repos.
I'm going to be away from my systems this weekend, but I'll follow up on this thread once I get back.
Thanks for your input.
B -
Accepted Answer
-
Accepted Answer
So in the original OP it mentions
Change where /usr/lib/libdl.so is stated to /usr/lib64/libdl.so (3 occurrences)
there is no need to do this
just run make && make install
then edit
nano /etc/pam.d/sshd
#%PAM-1.0
auth required pam_google_authenticator.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
Then edit
nano /etc/ssh/sshd_config
Change
ChallengeResponseAuthentication yes
UsePAM yes
Restart SSH
service sshd restart
Then run the authenticator
google-authenticator -
Accepted Answer
Hey bob give this a wack
I read that mercurial below version 1.8.3 has issues with sub directories. I grabbed these rpm's
wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-1.9.2-1.el5.rf.i386.rpm
wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-hgk-1.9.2-1.el5.rf.i386.rpm
wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-ssh-1.9.2-1.el5.rf.i386.rpm
rpm -Uvh mercurial*
then reading http://code.google.com/p/google-authenticator/issues/detail?id=85 looks like you also need subversion
yum install subversion
Then try re running hg from which ever directory
hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/
If complains about "warning: certificate for google-authenticator.googlecode.com can't be verified (Python too old)"
But I have python26 installed from the geekymedia repo???
But I got this far...not sure what to edit change or compile ...over to you bob -
Accepted Answer
I also noticed that
http://www.whataboutbob.org/downloads/clearos/ClearOS-CentOS-Base.repo
Points to a directory http://mirror.centos.org/centos/5.6/ doesn't have anything in it other than a readme -
Accepted Answer
-
Accepted Answer
I ended up removing the samba api then installing mercurial (via EPEL) that way which was successful but holy hell getting it running broke stuff everywhere. AV dansguardian then I was less than keen. That and I don't normally use EPEL
I in the middle of sorting out a problem with Oracle (IN)Coherence for openfire clustering which I can see is going to turn in to a firestorm cluster F@$% -
Accepted Answer
Even going here: http://code.google.com/p/google-authenticator/source/checkout and following the directions, it seems that stuff is broken.
[root@nas google-authenticator]# hg clone https://code.google.com/p/google-authenticator/
destination directory: google-authenticator
requesting all changes
adding changesets
adding manifests
adding file changes
added 84 changesets with 442 changes to 315 files
updating working directory
pulling subrepo mobile/ios/externals/zxing
abort: repository [svn]https://zxing.googlecode.com/svn/trunk/ not found!
I don't have any experience using mercurial, so I may not be doing something right... -
Accepted Answer
Here's what I got when trying this (http://www.techrepublic.com/blog/opensource/two-factor-ssh-authentication-via-google-secures-linux-logins/2607):
[root@nas yum.repos.d]# yum install pam-devel
Loaded plugins: fastestmirror, filter-data, kmod, list-data, protect-packages, upgrade-helper
Loading mirror speeds from cached hostfile
* base-console: download4.clearfoundation.com
* base-kernels: download4.clearfoundation.com
* base-os: download4.clearfoundation.com
* base-supplements: download4.clearfoundation.com
* base-updates: download4.clearfoundation.com
* clearcentos-os: download4.clearfoundation.com
* clearcentos-updates: download4.clearfoundation.com
* epel: serverbeach1.fedoraproject.org
addons | 951 B 00:00
base | 1.1 kB 00:00
base-console | 951 B 00:00
base-kernels | 951 B 00:00
base-os | 1.1 kB 00:00
base-supplements | 951 B 00:00
base-updates | 951 B 00:00
clearcentos-os | 951 B 00:00
clearcentos-updates | 951 B 00:00
epel | 3.7 kB 00:00
extras | 2.1 kB 00:00
updates | 1.9 kB 00:00
Skipping filters plugin, no data
Setting up Install Process
Resolving Dependencies
Skipping filters plugin, no data
--> Running transaction check
---> Package pam-devel.i386 0:0.99.6.2-6.el5_5.2 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================================================
Installing:
pam-devel i386 0.99.6.2-6.el5_5.2 base 187 k
Transaction Summary
=========================================================================================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 187 k
Is this ok [y/N]: y
Downloading Packages:
pam-devel-0.99.6.2-6.el5_5.2.i386.rpm | 187 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : pam-devel 1/1
Installed:
pam-devel.i386 0:0.99.6.2-6.el5_5.2
Complete!
[root@nas yum.repos.d]# ls -la
total 48
drwxr-xr-x 2 root root 4096 Nov 28 20:15 .
drwxr-xr-x 150 root root 12288 Dec 6 04:30 ..
-rw-r--r-- 1 root root 3672 Jul 20 2010 base.repo
-rw-r--r-- 1 root root 1506 Sep 21 20:09 ClearOS-CentOS-Base.5.7.repo
-rw-r--r-- 1 root root 954 Aug 11 2010 epel.repo
-rw-r--r-- 1 root root 1054 Aug 11 2010 epel-testing.repo
-rw-r--r-- 1 root root 1105 Mar 8 2011 timb.repo
Note, the "ClearOS-CentOS-Base.5.7.repo" file is available here.
Next:
[root@nas Downloads]# mkdir ./google-authenticator
[root@nas Downloads]# cd google-authenticator/
[root@nas google-authenticator]# hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/
bash: hg: command not found
[root@nas google-authenticator]# yum whatprovides hg
Loaded plugins: fastestmirror, filter-data, kmod, list-data, protect-packages, upgrade-helper
Loading mirror speeds from cached hostfile
* base-console: download4.clearfoundation.com
* base-kernels: download4.clearfoundation.com
* base-os: download4.clearfoundation.com
* base-supplements: download4.clearfoundation.com
* base-updates: download4.clearfoundation.com
* clearcentos-os: download4.clearfoundation.com
* clearcentos-updates: download4.clearfoundation.com
* epel: serverbeach1.fedoraproject.org
mercurial-1.3.1-3.el5.i386 : A fast, lightweight distributed source control management system
Repo : epel
Matched from:
Other : hg
[root@nas google-authenticator]# yum install mercurial
Loaded plugins: fastestmirror, filter-data, kmod, list-data, protect-packages, upgrade-helper
Loading mirror speeds from cached hostfile
* base-console: download4.clearfoundation.com
* base-kernels: download4.clearfoundation.com
* base-os: download4.clearfoundation.com
* base-supplements: download4.clearfoundation.com
* base-updates: download4.clearfoundation.com
* clearcentos-os: download4.clearfoundation.com
* clearcentos-updates: download4.clearfoundation.com
* epel: serverbeach1.fedoraproject.org
Skipping filters plugin, no data
Setting up Install Process
Resolving Dependencies
Skipping filters plugin, no data
--> Running transaction check
---> Package mercurial.i386 0:1.3.1-3.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================================================
Installing:
mercurial i386 1.3.1-3.el5 epel 2.1 M
Transaction Summary
=========================================================================================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 2.1 M
Is this ok [y/N]: y
Downloading Packages:
mercurial-1.3.1-3.el5.i386.rpm | 2.1 MB 00:02
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : mercurial 1/1
Installed:
mercurial.i386 0:1.3.1-3.el5
Complete!
[root@nas google-authenticator]#
Next:
[root@nas google-authenticator]# hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/
requesting all changes
adding changesets
adding manifests
adding file changes
added 84 changesets with 442 changes to 315 files
updating working directory
pulling subrepo mobile/ios/externals/zxing
abort: repository [svn]https://zxing.googlecode.com/svn/trunk/ not found!
Doh, FAIL!
Not sure what to do next, hints???
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »