Two Factor Authentication in CentOS 6

2013-09-25 17:23 PDT

On any given day the company that I work for has over 100 linux virtual machines on and running with our cloud based infrastructure provider. Because of the cursed “but that’s the way we’ve always done it” mind set we use a set of common usernames and passwords for most of these systems. Its maddening. Anyway, I needed a to improve security a bit, while not throwing too large of a wrench into the works. Also, for our production systems (which do not use common user accounts and passphrases) I wanted an extra step to authentication. To that end, I created some script to automate the process for me. Based heavily on Ben Charlton’s excellent write up titled Two-factor time based (TOTP) SSH authentication with pam_oath and Google Authenticator and adapted to serve my needs, my totp-setup repository will take any CentOS 6, or RHEL 6 box, install the open source EPEL repository, install the necessary packages and configure oath for TOTP authentication on SSH connections only. Because it uses oath, you could easily ask it to provide TOTP authentication nearly anywhere. You can fork totp-setup to create your own solution.

If your requirements are the same as mine, you are welcome to use what I have written up as it is. Simply run oath-setup.sh from a shell with elevated privileges in order to set oath up for your system. This will install the EPEL repository and the necessary packages. It will also and make some changes to /etc/ssh/sshd_config, edit some files in /etc/pam.d/.

Running totp-user-setup.sh will make generate a user token and place the corresponding secret key in /etc/users.oath. Currently it provides this information to the root user, I suppose in an ideal world, this info would be conveyed only to the intended recipient. I haven’t soved that issue just yet.