Hi Bob that plugin is certainly what I want to achieve but the question is how?

Also I was thinking about it and to integrate it you would want to have a testing portion to let you test your login before permanently committing changes

You might have a look at this wordpress plugin here which lets you use google auth with a wordpress blog.

After a little more digging http://code.google.com/p/ga4php/ looks like someones done it with OATH

What is Google Authenticator

http://code.google.com/p/google-authenticator/

Overview
The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).
These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm currently in draft.

Ever seen those nifty RSA tokens well the following will give you that same functionality in addition to having your ssh password.

A couple of warnings. Open two ssh sessions, the reasoning is that if you get this wrong you will lock yourself out of your own system remotely, use the second session to remove or make changes to sshd and pam

Next for those of you running clearos in a vm you need to account for time shift.

This install is meant for a clearos 5.2 clean install

You will need bob's ClearOS-CentOS-Base.5.7.repo

cd /etc/yum.repos.d



wget https://www.whataboutbob.org/downloads/clearos/ClearOS-CentOS-Base.5.7.repo



cd ~/

mkdir downloads

cd downloads/



wget http://www.whataboutbob.org/downloads/clearos/ClearOS_to_CentOS_v0.4.sh

chmod a+x ClearOS_to_CentOS_v0.4.sh



./ClearOS_to_CentOS_v0.4.sh

then run

yum update

When I installed a couple of components it complained about python so update python I went with python26

touch /etc/yum.repos.d/geekymedia.repo

nano /etc/yum.repos.d/geekymedia.repo

Add

[geekymedia-current]

name=Geekymedia CentOS EL5 Repository - Current

baseurl=http://mirrors.geekymedia.com/centos/

enabled=1

gpgcheck=0

Save the file

then

yum update

yum install python26

once updated install some dependencies I have added a couple just in case I needed them

yum install gcc gcc++ pam-devel subversion

Now we need to download and install mercurial

wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-1.9.2-1.el5.rf.i386.rpm

wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-hgk-1.9.2-1.el5.rf.i386.rpm

wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-ssh-1.9.2-1.el5.rf.i386.rpm



rpm -Uvh mercurial*

Make a directory for the authenticator

mkdir ./google-authenticator

cd google-authenticator/

Download the SVN for google authenticator

hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/

cd google-authenticator/

Run make and make install

make && make install

Now we need to configure Pam auth

nano /etc/pam.d/sshd

change

#%PAM-1.0

auth include system-auth

account required pam_nologin.so

account include system-auth

password include system-auth

session optional pam_keyinit.so force revoke

session include system-auth

session required pam_loginuid.so

to

#%PAM-1.0

auth required pam_google_authenticator.so

auth include system-auth

account required pam_nologin.so

account include system-auth

password include system-auth

session optional pam_keyinit.so force revoke

session include system-auth

session required pam_loginuid.so

Now we need to edit the ssh daemon configuration file

nano /etc/ssh/sshd_config 

uncomment

ChallengeResponseAuthentication yes

comment

#ChallengeResponseAuthentication no

Ensure that

UsePAM yes

STOP make sure that second SSH session is working because you can then edit /etc/ssh/sshd_config & /etc/pam.d/sshd if something goes wrong. Otherwise you are going to need to make these changes on the local console

Restart the SSH daemon

service sshd restart

Then run the google authenticator

google-authenticator

example

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB

Your new secret key is: SAEP64T5VZAVWAFB

Your verification code is 376046

Your emergency scratch codes are:

  67868696

  26247332

  54815527

  54336661

Answer each of the question to best suit your needs

So you need to now download the authenticator apps via either the apple app store or android marketplace

Start the app

In your phone select time based

For account use ssh enabled user i.e. root
Account: root@clearosipgoeshere
Key: SAEP64T5VZAVWAFB

It should then accept the secert key and will generate a new one every 30seconds

Once fail2ban gets added to clearOS as an app combined with this its going to be pretty hard to get into a clearOS system

Have fun

Oh yeah, the repo file....

I moved some stuff around on the server to get it a bit more organised.

Look here.

Ok, you've been busy.

You can use that repo file on a previously patched ClearOS 5.2 box, but be careful that you don't upgrade anything to do with LDAP, OpenVPN, or much of the specialised ClearOS packages.

What I have used it for is to install packages that aren't available in the traditional ClearOS repos.

I'm going to be away from my systems this weekend, but I'll follow up on this thread once I get back.

Thanks for your input.

B

Sorry for the brain dump guys will clean this up and make it into a proper how to

So in the original OP it mentions
Change where /usr/lib/libdl.so is stated to /usr/lib64/libdl.so (3 occurrences)

there is no need to do this

just run make && make install

then edit
nano /etc/pam.d/sshd
#%PAM-1.0
auth required pam_google_authenticator.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so

Then edit
nano /etc/ssh/sshd_config

Change
ChallengeResponseAuthentication yes
UsePAM yes

Restart SSH
service sshd restart

Then run the authenticator
google-authenticator

Hey bob give this a wack

I read that mercurial below version 1.8.3 has issues with sub directories. I grabbed these rpm's

wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-1.9.2-1.el5.rf.i386.rpm

wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-hgk-1.9.2-1.el5.rf.i386.rpm

wget ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/mercurial-ssh-1.9.2-1.el5.rf.i386.rpm



rpm -Uvh mercurial*

then reading http://code.google.com/p/google-authenticator/issues/detail?id=85 looks like you also need subversion

yum install subversion

Then try re running hg from which ever directory

hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/

If complains about "warning: certificate for google-authenticator.googlecode.com can't be verified (Python too old)"

But I have python26 installed from the geekymedia repo???

But I got this far...not sure what to edit change or compile ...over to you bob

I also noticed that
http://www.whataboutbob.org/downloads/clearos/ClearOS-CentOS-Base.repo

Points to a directory http://mirror.centos.org/centos/5.6/ doesn't have anything in it other than a readme

bob I ment to ask, is it possible to install your ClearOS-CentOS-Base.5.7.repo on a modified installed of clearos 5.2

I ended up removing the samba api then installing mercurial (via EPEL) that way which was successful but holy hell getting it running broke stuff everywhere. AV dansguardian then I was less than keen. That and I don't normally use EPEL

I in the middle of sorting out a problem with Oracle (IN)Coherence for openfire clustering which I can see is going to turn in to a firestorm cluster F@$%

Even going here: http://code.google.com/p/google-authenticator/source/checkout and following the directions, it seems that stuff is broken.

[root@nas google-authenticator]# hg clone https://code.google.com/p/google-authenticator/

destination directory: google-authenticator

requesting all changes

adding changesets

adding manifests

adding file changes

added 84 changesets with 442 changes to 315 files

updating working directory

pulling subrepo mobile/ios/externals/zxing

abort: repository [svn]https://zxing.googlecode.com/svn/trunk/ not found!

I don't have any experience using mercurial, so I may not be doing something right...

Here's what I got when trying this (http://www.techrepublic.com/blog/opensource/two-factor-ssh-authentication-via-google-secures-linux-logins/2607):

[root@nas yum.repos.d]# yum install pam-devel

Loaded plugins: fastestmirror, filter-data, kmod, list-data, protect-packages, upgrade-helper

Loading mirror speeds from cached hostfile

 * base-console: download4.clearfoundation.com

 * base-kernels: download4.clearfoundation.com

 * base-os: download4.clearfoundation.com

 * base-supplements: download4.clearfoundation.com

 * base-updates: download4.clearfoundation.com

 * clearcentos-os: download4.clearfoundation.com

 * clearcentos-updates: download4.clearfoundation.com

 * epel: serverbeach1.fedoraproject.org

addons                                                                                                                            |  951 B     00:00     

base                                                                                                                              | 1.1 kB     00:00     

base-console                                                                                                                      |  951 B     00:00     

base-kernels                                                                                                                      |  951 B     00:00     

base-os                                                                                                                           | 1.1 kB     00:00     

base-supplements                                                                                                                  |  951 B     00:00     

base-updates                                                                                                                      |  951 B     00:00     

clearcentos-os                                                                                                                    |  951 B     00:00     

clearcentos-updates                                                                                                               |  951 B     00:00     

epel                                                                                                                              | 3.7 kB     00:00     

extras                                                                                                                            | 2.1 kB     00:00     

updates                                                                                                                           | 1.9 kB     00:00     

Skipping filters plugin, no data

Setting up Install Process

Resolving Dependencies

Skipping filters plugin, no data

--> Running transaction check

---> Package pam-devel.i386 0:0.99.6.2-6.el5_5.2 set to be updated

--> Finished Dependency Resolution



Dependencies Resolved



=========================================================================================================================================================

 Package                             Arch                           Version                                         Repository                      Size

=========================================================================================================================================================

Installing:

 pam-devel                           i386                           0.99.6.2-6.el5_5.2                              base                           187 k



Transaction Summary

=========================================================================================================================================================

Install       1 Package(s)

Upgrade       0 Package(s)



Total download size: 187 k

Is this ok [y/N]: y

Downloading Packages:

pam-devel-0.99.6.2-6.el5_5.2.i386.rpm                                                                                             | 187 kB     00:00     

Running rpm_check_debug

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

  Installing     : pam-devel                                                                                                                         1/1 



Installed:

  pam-devel.i386 0:0.99.6.2-6.el5_5.2                                                                                                                    



Complete!

[root@nas yum.repos.d]# ls -la

total 48

drwxr-xr-x   2 root root  4096 Nov 28 20:15 .

drwxr-xr-x 150 root root 12288 Dec  6 04:30 ..

-rw-r--r--   1 root root  3672 Jul 20  2010 base.repo

-rw-r--r--   1 root root  1506 Sep 21 20:09 ClearOS-CentOS-Base.5.7.repo

-rw-r--r--   1 root root   954 Aug 11  2010 epel.repo

-rw-r--r--   1 root root  1054 Aug 11  2010 epel-testing.repo

-rw-r--r--   1 root root  1105 Mar  8  2011 timb.repo

Note, the "ClearOS-CentOS-Base.5.7.repo" file is available here.

Next:

[root@nas Downloads]# mkdir ./google-authenticator

[root@nas Downloads]# cd google-authenticator/

[root@nas google-authenticator]# hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/

bash: hg: command not found

[root@nas google-authenticator]# yum whatprovides hg

Loaded plugins: fastestmirror, filter-data, kmod, list-data, protect-packages, upgrade-helper

Loading mirror speeds from cached hostfile

 * base-console: download4.clearfoundation.com

 * base-kernels: download4.clearfoundation.com

 * base-os: download4.clearfoundation.com

 * base-supplements: download4.clearfoundation.com

 * base-updates: download4.clearfoundation.com

 * clearcentos-os: download4.clearfoundation.com

 * clearcentos-updates: download4.clearfoundation.com

 * epel: serverbeach1.fedoraproject.org

mercurial-1.3.1-3.el5.i386 : A fast, lightweight distributed source control management system

Repo        : epel

Matched from:

Other       : hg







[root@nas google-authenticator]# yum install mercurial

Loaded plugins: fastestmirror, filter-data, kmod, list-data, protect-packages, upgrade-helper

Loading mirror speeds from cached hostfile

 * base-console: download4.clearfoundation.com

 * base-kernels: download4.clearfoundation.com

 * base-os: download4.clearfoundation.com

 * base-supplements: download4.clearfoundation.com

 * base-updates: download4.clearfoundation.com

 * clearcentos-os: download4.clearfoundation.com

 * clearcentos-updates: download4.clearfoundation.com

 * epel: serverbeach1.fedoraproject.org

Skipping filters plugin, no data

Setting up Install Process

Resolving Dependencies

Skipping filters plugin, no data

--> Running transaction check

---> Package mercurial.i386 0:1.3.1-3.el5 set to be updated

--> Finished Dependency Resolution



Dependencies Resolved



=========================================================================================================================================================

 Package                               Arch                             Version                                   Repository                        Size

=========================================================================================================================================================

Installing:

 mercurial                             i386                             1.3.1-3.el5                               epel                             2.1 M



Transaction Summary

=========================================================================================================================================================

Install       1 Package(s)

Upgrade       0 Package(s)



Total download size: 2.1 M

Is this ok [y/N]: y

Downloading Packages:

mercurial-1.3.1-3.el5.i386.rpm                                                                                                    | 2.1 MB     00:02     

Running rpm_check_debug

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

  Installing     : mercurial                                                                                                                         1/1 



Installed:

  mercurial.i386 0:1.3.1-3.el5                                                                                                                           



Complete!

[root@nas google-authenticator]# 

Next:

[root@nas google-authenticator]# hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/

requesting all changes

adding changesets

adding manifests

adding file changes

added 84 changesets with 442 changes to 315 files

updating working directory

pulling subrepo mobile/ios/externals/zxing

abort: repository [svn]https://zxing.googlecode.com/svn/trunk/ not found!

Doh, FAIL!

Not sure what to do next, hints???