CentOS 7: Install Google Auth. for SSH Shell, Webmin, and WordPress

On CentOS 6.x, if people want to setup Google Auth. for everything almost easy than installing some IDE(Integrated Development Environment). But you may feel fall into the hall that you do the same thing on CentOS 7.

Preparation

Base on Minimal Installation to Everything Installation, the preparation steps you could follow also. If you see some packages/modules are already installed, congratulations! You can save time and just move to the next step.

Compile and install the Google-authenticator PAM module

Sure, you cannot get the well prepared RPM package from any official RPM Repository. Why? CentOS 7 has been released for long time, no Google-authenticator PAM module package?

Why Google-auth. PAM module package could not be found on official RPM Repository:

I want to know it too… Too much best things doesn’t includes in common Linux Distribution. Such as, Webmin is also like this.

Step 0

You may install the CentOS 7 with an ISO image on your VPS/VM. The image file may too old, therefore, it may come with out-of-date packages with bugs. Update the system at step 0. (You should keep track on any security alert reports to keep updates for all of the packages your system daily uses)

yum -y update

Step 1

Install the basic development tools.

yum -y groupinstall "Development Tools"

Step 2

Install the PAM Development Package

yum -y install pam-devel

Step 3

Install necessary modules to make sure your system have correct time for token generating.

yum -y install ntp
systemctl start ntpd
systemctl enable ntpd

Compile and install the Google-authenticator PAM module

Step 1

Download the Google-authenticator PAM module from code.google.com

cd /opt

wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2

Step 2

Extract, Compile, and Install it.

bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
tar -xvf libpam-google-authenticator-1.0-source.tar
rm -f libpam-google-authenticator-1.0-source.tar
cd libpam-google-authenticator-1.0
make

If everything is ready without any error, install it.

make install

Create Config File

Change current command prompt to your current user’s home directory.

cd ~
google-authenticator

Recommended options – Time-based tokens

You can answer yes at this point. If you want to understand what different of those choice, you can reference below.

Do you want authentication tokens to be time-based (y/n):

Choose yes to maker sure the Auth. process based on limited time frame.

Secret key, Verification code, and Emergency Scratch Codes

You may see this screen output:

Your new secret key is: WKHM6UVJNTPYSPTQ
Your verification code is 434260
Your emergency scratch codes are:
30287010
70585905
68748337
15176712
38041521

Secret Key and Verification code are provides for you to register the system/application to your mobile Google-auth. app.. Or you can use QR code for this section. Your Google-auth. app. able to capture the displayed QR code as registration process.

Use the emergency scratch codes in sequence in case you have lost your mobile phone.

In fact, if you have mapped your mobile device with your Google Account, you have chance to recover your Google-auth app. configuration and relationship between your registered systems/applications.

Recommended options – Current user as Sudo-level user

Do you want me to update your "/root/.google_authenticator" file (y/n)

Choose yes if the current Linux User will be used as sudo-level user. sudo-level user means you would like to use this user as administration duties(You usually use this user to login to the system and execute sudo command to perform any system administrative operation)

Recommended options – Disallow multiple uses of the same authentication

You should choose yes in normal case, unless you hope to use the same configuration for many hosts in the same room/floor.

Recommended options – 30 secs limitation

Make sure user to complete the login input process within 30 seconds. Choose yes here is a good choose. If you feel hardly to type all the stuff within 30 seconds, you should choose no here. (People whom typing too slow may not able to complete all username, password, authcode input in short time)

Apply Google-auth. for SSH Server

Add the new auth. method to be recognized by SSH Server.

vi /etc/pam.d/sshd

Add the following line to the top of the file.

auth required pam_google_authenticator.so

Then modify the SSH config file to enable Google-auth. feature.

vi /etc/ssh/sshd_config

Find the line that starts with ChallengeResponse Authentication. Then change it from no to yes.

Finally, restart the SSH Server to apply the changes.

systemctl reload sshd

Apply Google-auth. for Webmin

A complete document you could found on Webmin official wiki web site

http://doxfer.webmin.com/Webmin/Enhanced_Authentication

Apply Google-auth on WordPress (Self-hosted WordPress)

A complete document you could found on the following web site. It is written by Google Authenticator for WordPress Plug-in author.

http://julienliabeuf.com/wordpres-2-factor-authentication/

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です