Jun. 8th, 2012

dyr: (Default)
As already many of you knows, Google had supported two-factor authentication since last year. This authentication based on RFC 3246 and implement counter/time-based (COTP/TOTP, accordingly) one-time passwords. So it's time to use it to login on the our FreeBSD servers, where second part of two-factor will be based on your Android device with installed Google Authenticator .

The reciept is a pretty cool and simple.
  1. Install on the server "pam_google_authenticator" and, optionally, ibqrencode (it will show us QR-Code directly in console by...pseudo-text, looks really impressive.).
  2. After install, run "google-authenticator" under desired user (i.e. for "dyrez" - "sudo -u dyrez google-authenticator"). After a few simple questions, open Google Authenticator on your phone and choose "Add account" -> "Scan barcode". The barcode, as you already should have seen, will be on the screen (if you had installed libqrencode) or by inserting URL from screen to your browser (looks like "https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://")
  3. Edit /etc/pam.d/sshd -  add "auth sufficient /usr/local/lib/pam_google_authenticator.so" before "auth required pam_unix.so no_warn try_first_pass".
  4. ???
  5. PROFIT!
That's enough! Now you could login with using one-time codes generated on your phone, or by using your old-school UNIX password.


P.S. It's also an attempt to enhance my english skills, so any comments are welcome.

Profile

dyr: (Default)
dyr

May 2016

S M T W T F S
1234567
891011121314
15161718192021
2223242526 2728
293031    

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 28th, 2017 04:47 am
Powered by Dreamwidth Studios