Skip to main content

Multi-Factor Authentication in Linux using Google Authenticator

Multi-Factor Authentication in Linux using Google Authenticator
I would setting up a multifactor authentication in my Centos 7 for a user Kevin for ssh connectivity.

 1) Add the EPEL (Extra Packages for Enterprise Linux) repo.

 sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

 2) Install the google-autheticator

 sudo yum install google-authenticator
3) Run the google autheticator app for the user for which we want to setup the MFA. Note secret key and Verification code will be shown which would be needed for setting up google Autheticator on Android/Iphone

 google-authenticator

 It will prompt you certain questions as below , Provide the mentioned values
[kevin@lcfs ~]$ google-authenticator

 Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
Do you want me to update your "/home/kevin/.google_authenticator" file? (y/n) y

 Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

 By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n

 If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

4) Edit the PAM authetication moddule to use google authetication

 sudo vi /etc/pam.d/sshd
Add the following line to the bottom of the file.

 /etc/pam.d/sshd
. . .
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
auth required pam_google_authenticator.so nullok

 5) Edit the ssh configuration file to accept Authetication using MFA.

 sudo vi /etc/ssh/sshd_config
Look for ChallengeResponseAuthentication lines. Comment out the no line and uncomment the no line.

 /etc/ssh/sshd_config
. . .
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

 6) Restart sshd service
service sshd restart

 7) Install the Google Autheticator App and configured using secrete key received from step 3.


8) Trying logging using user Kevin and verify.

 himanshu@himanshu-ThinkPad-T430 ~ $ ssh kevin@lfcs.lab
Password: 
Verification code: 
Last login: Sat Apr 11 12:37:19 2020 from 192.168.56.1
[kevin@lcfs ~]$ exit

Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

How to Validate TDE Wallet Password in Oracle Database

How to Validate TDE Wallet Password in Oracle Database Validating the Transparent Data Encryption (TDE) wallet password is crucial, especially when ensuring that the password is correct without using the OPEN or CLOSE commands in the database. This blog post explains a straightforward method to validate the TDE password using the mkstore utility. Steps to Validate TDE Wallet Password Follow these steps to validate the TDE wallet password: Step 1: Copy the Keystore/Wallet File Navigate to your existing TDE wallet directory. Copy only the ewallet.p12 file to a new directory. If a cwallet.sso file exists, do not copy it . The absence of cwallet.sso ensures that the wallet does not use auto-login, forcing the utility to prompt for the password. Step 2: Validate Using mkstore Use the mkstore utility to check the contents of the wallet file. The mkstore utility will prompt you for the TDE wallet password, allowing you to validate its correctness. Command Syntax To display the conten...
Post a Comment
Read more

EBS 12.2 ADOP Interview Questions With Scenarios

EBS 12.2 ADOP Interview Questions With Scenarios Note: Check the patch cycle log is important to fix any issues.  Location: $ADOP_LOG_HOME Useful Adop Commands Click here 1.What is ADOP concept in oracle apps Online patching is the most important new feature in Oracle E-Business Suite Release 12.2. It is the ability to patch a running system without having to take the system down for a significant period of time while the patches are applied. 'adop' is the utility we use to apply patches in R12.2 2.What is PATCH_TOP directory in R12.2 In R12.2 there is a new directory location environment variable called $PATCH_TOP which points to $NE_BASE/EBSapps/patch $NE_BASE points to <Non-Editioned-filesystem-directory> Download the patch into the patch top directory and unzip it. This is the default location where the adop will look for patch files. If you are planning to put patches in non-defualt location then you need to use adop parameter 'patchtop=<patch_path>' to...
Post a Comment
Read more