CentOS 7: Install Google Auth. for SSH Shell, Webmin, and WordPress
On CentOS 6.x, if people want to setup Google Auth. for everything almost easy than installing some IDE(Integrated Development Environment). But you may feel fall into the hall that you do the same thing on CentOS 7.
Preparation
Base on Minimal Installation to Everything Installation, the preparation steps you could follow also. If you see some packages/modules are already installed, congratulations! You can save time and just move to the next step.
Compile and install the Google-authenticator PAM module
Sure, you cannot get the well prepared RPM package from any official RPM Repository. Why? CentOS 7 has been released for long time, no Google-authenticator PAM module package?
Why Google-auth. PAM module package could not be found on official RPM Repository:
I want to know it too… Too much best things doesn’t includes in common Linux Distribution. Such as, Webmin is also like this.
Step 0
You may install the CentOS 7 with an ISO image on your VPS/VM. The image file may too old, therefore, it may come with out-of-date packages with bugs. Update the system at step 0. (You should keep track on any security alert reports to keep updates for all of the packages your system daily uses)
yum -y update
Step 1
Install the basic development tools.
yum -y groupinstall "Development Tools"
Step 2
Install the PAM Development Package
yum -y install pam-devel
Step 3
Install necessary modules to make sure your system have correct time for token generating.
yum -y install ntp systemctl start ntpd systemctl enable ntpd
Compile and install the Google-authenticator PAM module
Step 1
Download the Google-authenticator PAM module from code.google.com
cd /opt wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
Step 2
Extract, Compile, and Install it.
bunzip2 libpam-google-authenticator-1.0-source.tar.bz2 tar -xvf libpam-google-authenticator-1.0-source.tar rm -f libpam-google-authenticator-1.0-source.tar cd libpam-google-authenticator-1.0 make
If everything is ready without any error, install it.
make install
Create Config File
Change current command prompt to your current user’s home directory.
cd ~ google-authenticator
Recommended options – Time-based tokens
You can answer yes at this point. If you want to understand what different of those choice, you can reference below.
Do you want authentication tokens to be time-based (y/n):
Choose yes to maker sure the Auth. process based on limited time frame.
Secret key, Verification code, and Emergency Scratch Codes
You may see this screen output:
Your new secret key is: WKHM6UVJNTPYSPTQ Your verification code is 434260 Your emergency scratch codes are: 30287010 70585905 68748337 15176712 38041521
Secret Key and Verification code are provides for you to register the system/application to your mobile Google-auth. app.. Or you can use QR code for this section. Your Google-auth. app. able to capture the displayed QR code as registration process.
Use the emergency scratch codes in sequence in case you have lost your mobile phone.
In fact, if you have mapped your mobile device with your Google Account, you have chance to recover your Google-auth app. configuration and relationship between your registered systems/applications.
Recommended options – Current user as Sudo-level user
Do you want me to update your "/root/.google_authenticator" file (y/n)
Choose yes if the current Linux User will be used as sudo-level user. sudo-level user means you would like to use this user as administration duties(You usually use this user to login to the system and execute sudo command to perform any system administrative operation)
Recommended options – Disallow multiple uses of the same authentication
You should choose yes in normal case, unless you hope to use the same configuration for many hosts in the same room/floor.
Recommended options – 30 secs limitation
Make sure user to complete the login input process within 30 seconds. Choose yes here is a good choose. If you feel hardly to type all the stuff within 30 seconds, you should choose no here. (People whom typing too slow may not able to complete all username, password, authcode input in short time)
Apply Google-auth. for SSH Server
Add the new auth. method to be recognized by SSH Server.
vi /etc/pam.d/sshd
Add the following line to the top of the file.
auth required pam_google_authenticator.so
Then modify the SSH config file to enable Google-auth. feature.
vi /etc/ssh/sshd_config
Find the line that starts with ChallengeResponse Authentication. Then change it from no to yes.
Finally, restart the SSH Server to apply the changes.
systemctl reload sshd
Apply Google-auth. for Webmin
A complete document you could found on Webmin official wiki web site
http://doxfer.webmin.com/Webmin/Enhanced_Authentication
Apply Google-auth on WordPress (Self-hosted WordPress)
A complete document you could found on the following web site. It is written by Google Authenticator for WordPress Plug-in author.
