A way to enable MFA(multiple factor authentication) for ETX, NX, SSH with cost $0
How to Enable Google Authenticator on ETX, NX, SSH ?
This guide will assume you already have existing ETX, NX instances running and only want to incorporate Google Authenticator.
1. Compile or rpm install Google Authenticator on ETX proxy nodes / NX login nodes / SSH nodes.
1.1 Download source code and compile: (Recommended) : google-authenticator-libpam-master.zip
>./bootstrap.sh
>./configure --prefix=/usr/local/packages/tapeout_google_authenticator
>make
>make install
1.2 or you can use rpm package
[root@ ]# rpm -ivh google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm
Preparing... ########################################### [100%]
1:google-authenticator ########################################### [100%]
1.3 To enable google authenticator on a user, command: /usr/bin/google-authenticator (/usr/local/packages/tapeout_google_authenticator/bin/google-authenticator) must be executed one time. This can be automated as part of user creation, and can be pushed to existing users home dir.
chameleon05.fab3:(/home/ron)> /usr/bin/google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ron@chameleon305%3Fsecret%3DXUxx34xxxxQCQG4AIxxx
Your new secret key is: XU3xxxxCQG4AIxxxxxx
Your verification code is 880552
Your emergency scratch codes are:
47465238
64249605
70511083
66210068
44749040
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
1.4 install google authenticator app on smart phone, add your secret key and verification code
ETX setup
2.1 Install Google authenticator on your ETX node designated with Auth role.( check 1.1 )
2.2 Edit /etc/pam.d/exceed-connection-node and add this line in red.
#%PAM-1.0
auth required pam_sepermit.so
auth required /usr/local/packages/tapeout_google_authenticator/lib/security/pam_google_authenticator.so secret=${HOME}/.google_authenticator
auth include password-auth
#account required pam_nologin.so
#account include password-auth
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
2.3 ETX login
3. NX setup
3.1 Install Google authenticator on your NX login node.(1.1 or 1.2)
3.2 Edit /etc/pam.d/nx and add this line in red.
#%PAM-1.0M-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth required /usr/local/packages/google_authenticator/lib/security/pam_google_authenticator.so secret=${HOME}/.google_authenticator
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
#auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_ldap.so
3.3 NX login:
4. SSH:
4.1 Setup Google Authenticator for ssh login node. (1.1 or 1.2)
4.2 Add this line in red in /etc/pam.d/sshd
[root@]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required /usr/local/packages/tapeout_google_authenticator/lib/security/pam_google_authenticator.so secret=${HOME}/.google_authenticator
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
4.3 Set ChallengeResponseAuthentication to “yes”.
[root@chameleon305]# cat /etc/ssh/sshd_config | grep Challenge
ChallengeResponseAuthentication yes
4.4 Restart sshd.
[root@chameleon305 ~]# /etc/init.d/sshd restart
4.5 Test ssh login. You will now be prompted for Verification code.
hostnode:(/home/ron)> ssh chameleon305
Password:
Verification code:
Last login: Fri Feb 1 14:39:24 2019 from xxx
chameleon305:ron>