6 easy steps to setup offline two factor authentication in Linux


Security

In this article I will share Step-by-Step Guide to Install and Configure Offline Two Factor Authentication using Open Source Google Authenticator for below scenarios in Linux

  • Configure offline two factor authentication for SSH
  • Configure offline two factor authentication for SUDO
  • Configure offline two factor authentication for SU

 

Lab Environment

I have installed Oracle Virtual Box on Linux node on which I have created multiple Virtual Machines with RHEL/CentOS 7 and 8 Linux. The steps from this article to configure two factor authentication are verified on RHEL/CentOS 7 and 8 Linux environment.

You need internet connectivity on your Virtual Box to download and install the required Google Authenticator packages. But once two factor authentication is configured, you do not need internet connectivity for validation which means this will act as offline two factor authentication in Linux.

 

Google Authenticator with PAM

Using the pluggable authentication modules provided by PAM, Open Source Google Authenticator supports the following features for Offline two factor authentication in Linux, according to its GitHub page:

  • Per-user secret and status file stored in the user’s home directory
  • Support for 30-second TOTP codes
  • Support for emergency scratch codes
  • Protection against replay attacks
  • Key provisioning via display of a QRCode
  • Manual key entry of RFC 3548 base32 key strings

 

Step 1: Install Google Authenticator on RHEL/CentOS 7 and 8 Linux

There are two methods to install Google Authenticator on your RHEL/CentOS 7 and 8 Linux environment.

 

Method 1: Install using DNF or YUM

I hope you are aware of DNF which is an alternate to YUM. By default google authenticator rpm is not part of the CentOS or Red Hat repository so you must first install EPEL repository on your Linux node.

[root@centos-8 ~]# dnf install epel-release -y

Next install google authenticator rpm before we enable offline two factor authentication:

NOTE:
libqrencode is required to print QR code for offline two factor authentication. Without this library you will get "Failed to use libqrencode to show QR code visually for scanning. Consider typing the OTP secret into your app manually." error. In RHEL/CentOS 7/8 Linux, libqrencode is provided by qrencode-libs rpm.
[root@centos-8 ~]# dnf install google-authenticator qrencode-libs -y

Content of the rpm on RHEL/CentOS 7

[root@centos-7 ~]# rpm -ql google-authenticator-1.04-1.el7.x86_64
/usr/bin/google-authenticator
/usr/lib64/security/pam_google_authenticator.la
/usr/lib64/security/pam_google_authenticator.so
/usr/share/doc/google-authenticator-1.04
/usr/share/doc/google-authenticator-1.04/CONTRIBUTING.md
/usr/share/doc/google-authenticator/FILEFORMAT
/usr/share/doc/google-authenticator/README.md
/usr/share/doc/google-authenticator/totp.html
/usr/share/licenses/google-authenticator-1.04
/usr/share/licenses/google-authenticator-1.04/LICENSE
/usr/share/man/man1/google-authenticator.1.gz
/usr/share/man/man8/pam_google_authenticator.8.gz

Content of the rpm on RHEL/CentOS 8

[root@centos-8 ~]# rpm -ql google-authenticator-1.07-1.el8.x86_64
/usr/bin/google-authenticator
/usr/lib/.build-id
/usr/lib/.build-id/28
/usr/lib/.build-id/28/19f17158d9ddef0a7f6135defe09c66b2b8061
/usr/lib/.build-id/70
/usr/lib/.build-id/70/03ef7a7d6793e0fcd5b4db22f580420272c34a
/usr/lib64/security/pam_google_authenticator.la
/usr/lib64/security/pam_google_authenticator.so
/usr/share/doc/google-authenticator
/usr/share/doc/google-authenticator/CONTRIBUTING.md
/usr/share/doc/google-authenticator/FILEFORMAT
/usr/share/doc/google-authenticator/README.md
/usr/share/doc/google-authenticator/totp.html
/usr/share/licenses/google-authenticator
/usr/share/licenses/google-authenticator/LICENSE
/usr/share/man/man1/google-authenticator.1.gz
/usr/share/man/man8/pam_google_authenticator.8.gz

 

Method 2: Install using source code

You can clone the google authenticator git repository on your Linux node

# git clone https://github.com/google/google-authenticator-libpam.git
Cloning into 'google-authenticator-libpam'...
remote: Enumerating objects: 52, done.
remote: Counting objects: 100% (52/52), done.
remote: Compressing objects: 100% (39/39), done.
remote: Total 848 (delta 31), reused 32 (delta 13), pack-reused 796
Receiving objects: 100% (848/848), 580.86 KiB | 532.00 KiB/s, done.
Resolving deltas: 100% (539/539), done.

Next build and install

# cd google-authenticator-libpam/

# ./bootstrap.sh
# ./configure
# make
# make install

This will install and configure Google Authenticator on your Linux node.

 

Step 2: Configure offline two factor authentication in Linux

Now we do not need internet on the Linux node to enable offline two factor authentication. Execute the google-authenticator binary without any arguments as shown below, which will prompt you for various inputs

[root@centos-8 ~]# google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: Q7OLD3KUKF3F7BT5J3I7XMVKGI

6 easy steps to setup offline two factor authentication in Linux

Enter code from app (-1 to skip): 952203   <-- Since this is CentOS 8, I have already configured Google Authenticator on my android device to get this OTP
Code confirmed
Your emergency scratch codes are:     <--- These emergency codes can be used when Google Authenticator is not accessible
  78193766
  22845673
  75571630
  42294143
  42293545

Do you want me to update your "/root/.google_authenticator" file? (y/n) y   <-- Press y to add the emergency codes under the provided file

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y 

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

 

Step 3: Download and configure Google Authenticator Mobile App

Before we jump into the steps to enable and configure offline two factor authentication, we need this Google Authenticator app which will give us the OTP for verification code.

Download and Install "Google Authenticator" from your "Google Play Store" or "App Store" based on your device.

Click on "BEGIN" to go to the next screen.

two factor authentication

 

Next add a account. You can use the BARCODE or the KEY which was generated at Step 2 to add a new account.

6 easy steps to setup offline two factor authentication in LinuxOnce you add the account, you should start getting the OTP (Verification Code) which you can use to login on your Linux node configured with offline two factor authentication ssh.

6 easy steps to setup offline two factor authentication in Linux

 

Step 4: Configure ssh two factor authentication

To secure your SSH and prevent against brute force attacks you can configure SSH two factor authentication so that for every SSH attempt, you will need to also provide OTP or Verification code from Google Authenticator.

 

Step 4.1: Configure /etc/pam.d/sshd module

To enable SSH two factor authentication we will use the PAM module. The file /etc/pam.d/sshd needs to be adjusted to call the google-authenticator module:

[root@centos-8 ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

 

Step 4.2: Configure /etc/ssh/sshd_config

Next enable ChallengeResponseAuthentication in /etc/ssh/sshd_config

[root@centos-8 ~]# grep ChallengeResponseAuthentication /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

Restart the sshd service to activate the changes

[root@centos-8 ~]# systemctl restart sshd

 

Step 4.3: Verify ssh two factor authentication

IMPORTANT NOTE:
Make sure you keep one SSH session active to verify your changes as these changes may lock you out if configured in-correctly. Alternatively you may login using the console to rectify the changes.

Open a new SSH session which should now prompt for verification code

Since we have used "auth required pam_google_authenticator.so", Linux will prompt for verification code followed by the password of the user:

login as: root
Using keyboard-interactive authentication.
Verification code:                 <--- Provide the OTP from your Google Authenticator App
Using keyboard-interactive authentication.
Password:                          <-- provide the password of user "root"

Last login: Sat Mar 28 16:09:48 2020 from 10.0.2.2
[root@centos-8 ~]#

If you use "auth sufficient pam_google_authenticator.so" then Linux will only prompt for verification code before logging in:

login as: root
Using keyboard-interactive authentication.
Verification code:               <--- Provide the OTP from your Google Authenticator App

Last login: Sat Mar 28 16:09:23 2020 from 10.0.2.2
[root@centos-8 ~]#

 

Step 5: Configure sudo two factor authentication (Optional)

If your requirement is only to configure SSH two factor authentication the you can ignore this step. But to enhance your security, you can also configure sudo two factor authentication so that every time a user uses SUDO, the user will be prompted for a OTP (Verification Code)

 

Step 5.1: Modify /etc/pam.d/sudo module

To enable sudo two factor authentication we will use the PAM module. The file /etc/pam.d/sudo needs to be adjusted to call the google-authenticator module:

[root@centos-8 ~]# cat /etc/pam.d/sudo
#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

 

Step 5.2: Verify sudo two factor authentication

Next you can try to perform a sudo operation using any user:

[deepak@centos-8 ~]$ sudo ls -l /tmp/

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Verification code:              <--- Provide the OTP from your Google Authenticator App
[sudo] password for deepak:     <--- Provide the password of user "deepak"

total 12
drwxr-x--T 2 root root 4096 Mar 23 17:47 marketing
drwx------ 3 root root 4096 Mar 24 19:49 systemd-private-64c4909968-chronyd.service-cpBn60
drwx------ 3 root root 4096 Mar 28 12:16 systemd-private-64c4909968-fprintd.service-Wo6SXe

 

Step 6: Configure su two factor authentication (Optional)

Again if your requirement is limited to SUDO or SSH two factor authentication you can ignore this step. But to enhance your security, you can also configure su two factor authentication so that every time a normal user attempts to switch user (su) role, the user will be prompted for OTP (Verification Code)

 

Step 6.1: Configure /etc/pam.d/su module

To enable su two factor authentication we will use the PAM module. The file /etc/pam.d/su needs to be adjusted to call the google-authenticator module:

[root@centos-8 ~]# cat /etc/pam.d/su
#%PAM-1.0
auth            required        pam_google_authenticator.so
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so

 

Step 6.2: Verify su two factor authentication

Next verify your PAM configuration by trying to switch user (su):

[deepak@centos-8 ~]$ su -
Verification code:   <--- Provide the OTP from your Google Authenticator App
Password:            <--- Provide the password of user "root"
[root@centos-8 ~]#

 

Lastly I hope the steps from the article to configure offline two factor authentication using Google Authenticator on RHEL/CentoS 7/8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Related Searches: two factor authentication linux ssh, ssh two factor authentication google, ssh otp google authenticator, linux 2 factor authentication

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment