Thursday, February 3, 2011

two factor for zero dollar, love it long time...

We have a substantial RSA install out in my day job. It is a monster, with replicated concentrators, AD systems split over two data centers and tied in VPN. We support a lot of folks in HPC, so it is worth trying to get it right.

However, I was very intrigued to see if I could do something on the down low in my basement using some sort of cheapo two factor auth. Turns out it is absolutely cake to get running even from a mercurial repo - I timed this at 15mins end to end plus a bit of phafp to edit the right files, I blame my old age at not configuring things right the first time.

So first grab the source luke!

(remember to also get the libpam-dev headers)
jcuff@srv:~$ hg clone google-authenticator
jcuff@srv:~$ sudo apt-get install libpam-dev
jcuff@srv:~$ make install

Will spit out this:
jcuff@srv:~$ google-authenticator|0&cht=qr&chl=otpauth://totp/jcuff@srv%3Fsecret%399999996V29999
Your new secret key is: GGX2DN3XXXXXXXXXXX
Your verification code is 1599999
Your emergency scratch codes are:

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Then quickly set up these two lines:
jcuff@srv:~$ sudo vi /etc/pam.d/sshd
>>>>> auth required

jcuff@srv:~$ sudo vi /etc/ssh/sshd_config
>>>>> ChallengeResponseAuthentication yes

Restart your sshd, and then get your app from the app store. You can click the URL for the OTP QR code dumped out from the google-authenticator cli above (your phone scans and installs the token)

And you are all set - use your pass code off your iPhone/Blackberry:
jcuff@shuttle:~$ ssh srv
Verification code:
Linux srv 2.6.35-23-server #41-Ubuntu SMP Wed Nov 24 12:12:17 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.10

Welcome to the Ubuntu Server!

Two factor for zero bucks... sure makes me think about all the serious corn, fte, time and effort we have dropped in on our RSA infrastructure... time will tell me if this is a win or not.

(c) 2018 James Cuff