CentOS Two Factor Authentication with Google Authenticator
-
Secure your CentOS Server with Google Authenticator and Two Factor Authentication. This is perfect for people building a highly secure CentOS or RHEL based Jump Server.
-
This is very cool! Thanks!
-
Anyone done this yet?
-
Doesn't work.....
Check the comments.
-
No package google-authenticator available.
-
The PAM Module is no longer provided in EPEL for EL7
-
Looks like a lot of places are having the same issue that they are posting the repo info but it does not exist. You can do this instead...
yum install gcc gcc++ make python python-devel git pam-devel cd /tmp git clone https://code.google.com/p/google-authenticator/ cd google-authenticator/libpam make make install cd /tmp rm -Rf google-authenticator/
-
I used this guide: http://www.thefallenphoenix.net/2015/03/ssh-multi-factor-centos-7/
But like a idiot, I setup the root account, not my account.....
This will cause a issue if for some reason Google Authenticator doesn't work, right?
-
@Aaron-Studer said:
I used this guide: http://www.thefallenphoenix.net/2015/03/ssh-multi-factor-centos-7/
But like a idiot, I setup the root account, not my account.....
This will cause a issue if for some reason Google Authenticator doesn't work, right?
Yes, that would be a problem
-
This seems like it might be a better option
-
This looks much, much easier to install/use:
-
How To Install Authy And Configure Two-Factor Authentication For SSH
https://www.digitalocean.com/community/tutorials/how-to-install-authy-and-configure-two-factor-authentication-for-ssh -
I don't like SMS as an authentication method because I've found SMS to be very unreliable. Here in Europe it is tons more reliable than in the US, but you don't want a tower outage or being in a "dead spot" to stop authentication. I worry enough about the "on the phone" app losing power (my phone is dead right this second, for example) or getting lost or whatever causing a lack of access but using SMS on the phone adds secondary network connectivity as an additional breaking point.
If I lose my phone, phone breaks, battery is dead, I lose cell coverage OR I lose network access I can't log in. That is more and more points of failure.
-
Also, SMS is not secure at all. I've had SMS hijacked before. So less than ideal as a security method. It's a second factor so that is not the end of the world, but I have definitely spent a year working in a situation where that would not have been a second factor at all and using it would have been nothing but a placebo.
-
@scottalanmiller said:
I don't like SMS as an authentication method because I've found SMS to be very unreliable. Here in Europe it is tons more reliable than in the US, but you don't want a tower outage or being in a "dead spot" to stop authentication. I worry enough about the "on the phone" app losing power (my phone is dead right this second, for example) or getting lost or whatever causing a lack of access but using SMS on the phone adds secondary network connectivity as an additional breaking point.
If I lose my phone, phone breaks, battery is dead, I lose cell coverage OR I lose network access I can't log in. That is more and more points of failure.
I completely agree. This is why I use Authy. No SMS.
Best part of all it is removes the requirement to use your phone.
-
Ah, Authy doesn't require SMS? Cool, will look into it more then.
-
@scottalanmiller I think your confusing Two Factor Authentication with SMS.
You can do 2FA with SMS, but it's not as common anymore.
Take a look at this link: http://security.stackexchange.com/questions/47901/how-does-authys-2fa-work-if-it-doesnt-connect-to-the-server
-
If Authy would integrate with Touch ID, that would be amazing!
-
This is also a good read: http://stackshare.io/posts/how-authy-built-a-fault-tolerant-two-factor-authentication-service/
-
@scottalanmiller said:
(my phone is dead right this second, for example)
Authy lets to sync across devices, so unless you phone/iPad/computer/Wife's Phone are all dead, then it still works!