google-authenticator

最後更新: 2015-03-03

目錄

介紹

  • Multiple accounts
  • 30-second TOTP codes
  • Key provisioning via scanning a QR code
  • Protection against replay attacks
  • Support for emergency scratch codes

Home Page

http://code.google.com/p/google-authenticator/

 


安裝

 

Ubuntu12.04

apt-get install libpam-google-authenticator

獲得:

  1. /lib/security/pam_google_authenticator.so
  2. /usr/bin/google-authenticator

Debian6/7

aptitude install libqrencode3

Download Package:

i386:

http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20130529-2_i386.deb

amd:

http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20130529-2_amd64.deb

Centos6

# EPEL

yum install google-authenticator

獲得 file: /lib/security/pam_google_authenticator.so

Centos7

# 新版 epel 有 google-authenticator, 所以不用自行 Compile 了

yum -y groupinstall "Development Tools"

yum -y install pam-devel

cd /usr/src

wget https://github.com/google/google-authenticator-libpam/archive/refs/heads...

unzip master.zip

cd google-authenticator-libpam-master

./bootstrap.sh

libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build'.
libtoolize: copying file `build/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.
libtoolize: copying file `build/libtool.m4'
libtoolize: copying file `build/ltoptions.m4'
libtoolize: copying file `build/ltsugar.m4'
libtoolize: copying file `build/ltversion.m4'
libtoolize: copying file `build/lt~obsolete.m4'
configure.ac:11: installing 'build/config.guess'
configure.ac:11: installing 'build/config.sub'
configure.ac:8: installing 'build/install-sh'
configure.ac:8: installing 'build/missing'
Makefile.am: installing 'build/depcomp'
parallel-tests: installing 'build/test-driver'

./configure

make -j        # 獲得 .libs/pam_google_authenticator.so

Install by cp

cp -a .libs/pam_google_authenticator.so /usr/lib64/security

cp -a google-authenticator /usr/bin

學習

man google-authenticator

man pam_google_authenticator

 


設定: pam + sshd

 

設定 pam:

修改 /etc/pam.d/sshd 加入

# authenticator 及 password 同時正確才可以 login

auth required pam_google_authenticator.so

# 如果想單是它 login 就夠 (不理會 user passwd)

auth sufficient pam_google_authenticator.so

Example:

# Debian

# google_authenticator
auth sufficient pam_google_authenticator.so

# Standard Un*x authentication.
@include common-auth
..............................................

# Centos

#%PAM-1.0
auth       required     pam_sepermit.so

# google_authenticator
auth       sufficient   pam_google_authenticator.so

auth       include      password-auth

注意這樣的次序 !! pam_sepermit, pam_google_authenticatorm, password-auth

nullok

During the initial roll-out process, you might find that not all users have created a secret key yet.

If you would still like them to be able to log in, you can pass the "nullok" option

...
auth required pam_google_authenticator.so nullok
...

設定 sshd:

修改 /etc/ssh/sshd_config 加入

# google_authenticator 是用 PAM 去認證的

# Default: "no"
UsePAM yes

# Specifies whether challenge response authentication is allowed (default is "yes")

ChallengeResponseAuthentication yes

# 保留傳統的 Password login

PasswordAuthentication yes

service sshd restart

root login 時的 log:

.. sshd(pam_google_authenticator)[15687]:
 Failed to read "/root/.google_authenticator" for "root"
.. sshd[15679]: Accepted keyboard-interactive/pam 
 for root from s.s.s.sport 9193 ssh2

建立 Authentication Key (~/.google_authenticator):

google-authenticator

之後會見到 QR code 及答以下問題

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication              <--- DISALLOW_REUSE
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for     <--- WINDOW_SIZE
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force  <--- 
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Remark

By default the PAM module requires that

  • the secrets file must be owned the user logging in
  • requires the secrets file to be readable only by the owner of the file (mode 0600 by default)

 


Configure File

 

~/.google_authenticator

Option

They all start with a double quote character, followed by a space character.

This ensures that they cannot accidentally appear anywhere else in the file.

RESETTING_TIME_SKEW t1 t2 ...

記錄來, 不是設定

// If the user can produce a sequence of three consecutive codes that fall

// within a day of the current time. And if he can enter these codes in

// quick succession, then we allow the time skew to be reset.

TIME_SKEW n

記錄來, 不是設定

// If a user repeated attempts to log in with the same time skew,

// remember this skew factor for future login attempts

RATE_LIMIT                         # -r, --rate-limit=N; -R, --rate-time=M

# restricts the number of logins to at most "n" within each "m" second interval

# Additional parameters "?" in this line are undocumented;

# they are used internally to keep track of state.

RATE_LIMIT n m ?

Over 後不再問

Verification code:

log

... sshd(pam_google_authenticator)[28681]:
 Too many concurrent login attempts ("/root/.google_authenticator"). Please try again.

WINDOW_SIZE n                 # -w n

# Default: 3. allowing up to "n" extra valid token before and after the currently active one

WINDOW_SIZE n

In counter-based mode, this option is the number of valid tokens after the currently active one.

DISALLOW_REUSE               # -D

If present, this signals that a time-based token can be used at most once.

This means that users can typically not log in faster than once every ~30 seconds.

A space-separated list of time stamps that have previously been used for login attempts

DISALLOW_REUSE t1 t2 ...

TOTP_AUTH

The "secret" can be used to authenticate users with a time-based token.

Exampe

???????????????                               <-- base32 encoded secret
" RESETTING_TIME_SKEW 45418776+9 45418783+9   <-- optional start with " 
" TIME_SKEW -960
" RATE_LIMIT 3 30 1362564814
" WINDOW_SIZE 3                               <-- from 3 to "n", default 3
" DISALLOW_REUSE 45418788 45418790
" TOTP_AUTH            <-- 啟用 time-based token 登入
8359????               <-- one-time tokens, eight-digit numbers
6479????               <-- 用了那行, 那行就會被刪除
6257????

Template: ~/.google_authenticator

????
" RATE_LIMIT 3 30
" DISALLOW_REUSE
" TOTP_AUTH

Other Opts

STEP_SIZE n            # -S n

The number of seconds in each time step during which a TOTP code is valid.(Default: 30s)

 


QR codes Format

 

URI with the following format:

otpauth://TYPE/LABEL?PARAMETERS

# Google Authenticator

otpauth://totp/LABEL?secret=key.base32

# LABEL 用來顯示而已

# key at least 30 hex chars

i.e.

otpauth://totp/software@mydomian?secret=0123456789abcdef0

 


HOTP

 

HOTP = HMAC-Based One-time Password(RFC 4226)

Event-based One-Time Password

原理:

seed(secret key) + moving factor(counter)

The counter on the server is incremented only when an OTP is successfully validated

The OTP generator and the server are synced each time the code is validated and the user gains access

Setting

HOTP_COUNTER n

Authenticate users with a counter-based token

The argument "n" represents which counter value the token will accept next.