Comments on: Google Authenticator (and implementing it on Linux)

By: Use Google Authenticator to login to your linux box - Der PCFreak Blog

Use Google Authenticator to login to your linux box - Der PCFreak Blog — Tue, 15 Nov 2011 14:34:45 +0000

[...] Keith Garner Google Authenticator (and implementing it on Linux) [...]

By: derp

derp — Fri, 16 Sep 2011 15:57:31 +0000

Thanks for the mention on the patch – solved an issue I was having on how to get users to be able to run the setup on their own.

By: dugsong

dugsong — Wed, 20 Apr 2011 22:34:59 +0000

An alternative approach is not to use PAM at all, which is what we did for our open-source duo_unix package, (which supports two-factor auth via one-time passcodes, but also phone callback, SMS, and smartphone push). This allows a user to enable two-factor auth without admin intervention – and also protect SSH pubkey login, which is mutually exclusive with PAM currently in OpenSSH.

See our blog post about our open-source release here: http://blog.duosecurity.com/2011/04/announcing-duos-two-factor-authentication-for-unix/

By: Keith Garner

Keith Garner — Wed, 30 Mar 2011 15:00:17 +0000

suman,

This module seems to be geared for interactive text based use (ssh, telnet, etc.) I don’t think it’ll work for a web application. Google has been following an open standard, so I expect to see some libraries to help implement this for apache and/or various web frameworks. But this doesn’t seem to be it.

By: suman

suman — Wed, 30 Mar 2011 04:09:46 +0000

I am fairly naive on the PAM module. Does this authentication set up only for users of the system by default?? Is there an easy way to enable this for users of a web application?? Kinda like the way google implemented for gmail???

By: Keith Garner

Keith Garner — Thu, 24 Mar 2011 13:59:21 +0000

Doug, that’s a really good idea. The only thing i don’t like about it is that it requires admin intervention to do that. In some situations that may be desirable. For my needs, the non-admin-attention version is better.

By: Doug Kelly

Doug Kelly — Thu, 24 Mar 2011 05:11:07 +0000

An alternate idea to the “all or nothing” problem: use PAM to ignore the authenticator if you’re not in a certain group. The following configuration checks if the user is in group “secure,” and if they are, the authenticator is used. Otherwise, it is ignored. (The logic is somewhat backwards here, but it works.)

auth [default=ignore success=1] pam_succeed_if.so quiet user notingroup secure
auth required pam_google_authenticator.so

By: Keith Garner

Keith Garner — Thu, 24 Feb 2011 14:14:19 +0000

I just set this up on a second machine, and below is working again for me. I wonder what the difference is.

By: dbt

dbt — Thu, 24 Feb 2011 02:57:04 +0000

Weird. On my ubuntu machine it didn’t work unless I put the auth reuqired pam_google_authenticator.so line above @include common-auth

By: Tweets that mention Google Authenticator (and implementing it on Linux) « You can imagine where it goes from here. -- Topsy.com

Tue, 22 Feb 2011 22:37:13 +0000

[...] This post was mentioned on Twitter by Keith T. Garner, Jeff Jarmoc. Jeff Jarmoc said: RT @ktgeek: Blog spew: Google Authenticator (and implementing it on Linux) http://bit.ly/fyQTq6 [...]