How-to enable Multi Factor Authentication for Linux using Google Authenticator (part 1)
More than once a month, I get asked if there is a way to implement Multi Factor Authentication on cloud based Linux VM’s without having to buy tokens and implement proprietary services.
There are a couple of Open Source MFA solutions available and for the ease of installation and use I choose to use Google Authenticator.
This tutorial contains configuration instructions for both Debian and Redhat based Linux distributions and are written for the current versions.
What is Google Authenticator and how does it work?
Google Authenticator is an alternative to SMS for 2Step verification, installing an app on Android / IOS where the codes will be sent. It supports both the HOTP and TOTP algorithms for generating one-time passwords.
With HOTP, the server and client share a secret value and a counter, which are used to compute a one time password independently on both sides. Whenever a password is generated and used, the counter is incremented on both sides, allowing the server and client to remain in sync.
TOTP essentially uses the same algorithm as HOTP with one major difference. The counter used in TOTP is replaced by the current time. The client and server remain in sync as long as the system times remain the same. This can be done by using the Network Time protocol.
The secret key (as well as the counter in the case of HOTP) has to be communicated to both the server and the client at some point in time. In the case of Google Authenticator, this is done in the form of a QRCode encoded URI. See: KeyUriFormat for more information.
How do I install Google Authenticator?
The installation contains of 5 steps:
STEP 1: Install the Client on a mobile device.
First the Google Authenticator app has to be installed on a mobile device:
Android: Get the latest version here, directly from Google Play.
IOS: Get the latest version here, directly from the App Store.
Windows: There is no GA app, but a compatible app can be obtained here, from the Microsoft App store
STEP 2: Install the service on your Linux machine.
You will install all dependencies like NTP automatically using the -y switch
sudo apt-get -y install libpam-google-authenticator
First we need to install the development tools so we have a compiler, and the libraries we need. To do that we’ll use yum to install the “Development Tools” group
sudo yum -y groupinstall "Development Tools"
Now we need to install the pam development package
sudo yum -y install pam-devel
We setup and enable ntp so we can make sure our time is correct. Since we will be using a time based sync.
sudo yum -y install ntp sudo systemctl start ntpd sudo systemctl enable ntpd
Now we can download the google authenticator pam module from code.google.com, we will download it to /opt.
cd /opt wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
Unzip, untar, compile the module, and install it.
bunzip2 libpam-google-authenticator-1.0-source.tar.bz2 tar -xvf libpam-google-authenticator-1.0-source.tar rm -f libpam-google-authenticator-1.0-source.tar cd libpam-google-authenticator-1.0 make
When the compilation is successfully completed, Google Authenticator can be installed. (note: this has to be done by a privileged user)
sudo make install
Now you have installed Google Authenticator
In the next part of this Tutorial, We will show you how to setup the Google Authenticator and how you can prevent having to use a different authenticator for every server you want to access.