Google-Authenticator PAM on CENTOS 6
October 30th, 2011Probably my favourite new thing in tech this year has been Google’s Authenticator.
It provides a one time passcode for logging into stuff, you enter as well as your normal password. This is extremely secure because it means no one can copy it. Every 30 seconds of every day it’s replaced with a brand new one. Interestingly if it only uses the same number once in the cycle, it will take about a year to use them all and start again.
If you’ve been given an RSA Token, OATH Token, Gold Card etc. at work it’s the same kind of thing, but instead of being geek bling to hang around 
your neck or on your keyring, Google make it easy to carry in the form of an app for your Android, BlackBerry or iPhone. Interestingly midway through this yead RSA also introduced an app to replace their tokens. Anyone that has had to carry a bunch of those things around knows what a pain it is, and will warmly welcome the phone version. No doubt the corporate solution will continue to cost $100-$200 per person per year however. Google’s is free.
With this app installed on your phone you enable two step authentication on your Google accounts (gmail, apps etc) This video from Google explains it all pretty well.
That’s awesome in itself, almost eliminates the concern that your email account might get hacked, but for Linux admins it gets much much better. Oh yeah, this is REALLY cool.
Google have also released a PAM (Pluggable Authenticaton Module) for Linux, so you can use this technology on any of your PAM enabled services (Login, SSH, VPN, Email, you name it). This effectively brings two factor authenticaton out of the expensive corporate security world into the Linux Free as in Beer, Free as in Speech world. Google you ROCK.
How To Install It on CentOS 5.
There’s plenty of doco out there that made this look easy, I did not find it so easy. I think that many of the writers assume the reader is using the latest bleeding edge Ubuntu or Fedora, the conservative among us using RedHat, Centos or Ubuntu LTS are left out in the dark a bit. It took me a weekend, but here are my findings.
Getting the Code.
This was the weirdest thing for me, it seems the repo uses a combination of Subversion and Mercurial, so you’ll need both.
Install Subversion and Mercurial.
yum install subversion python-devel docutilsYou must install the latest version of Mercurial, the one on the Centos repo is too old to work properly. Download latest mercurial from http://mercurial.selenic.com/downloads/
untar it (tar -xvf <filename>), change into the directory tar creates and “make install”
Mercurial is a bunch of python scripts, so make install is all that’s needed to put it into place.
Now you should be OK to download the actual source code for this CompSci epic. One command is all that’s needed here. Took days to work out why this didn’t work (solution above). Let me know if you have any more issues with it.
hg clone https://code.google.com/p/google-authenticator/
As root change into the directory you get +/libpam and run
make install
For ssh logins edit /etc/pam.d/ssh and add the line
auth required pam_google_authenticator.so
as the first rule, just under the #%PAM-1.0 line and you’re ready to rock.
Restart sshd (not sure if this is needed, but might as well)
service sshd restart
Now login as your regular ssh user and run the command
google-authenticator
You’ll get asked a few questions and get a link to a QR code that the app on your phone can scan to set you up in seconds. Copy all the output to a text file on your laptop for safefy. When you log in again you’ll be asked for a code, then your password and you’re in.
I’ll be looking into how this works, and any security concerns going forward, and will post anything else interesting here. Have fun securing your systems!