Closed raviteja-b closed 5 months ago
trying to setup 2factor authentication with google-authenticator on host system. where does google-authenticator supposed to run for generating secret key??
can we run this google-authenticator on on another server machine and generated secret can be installed to another host system? what's right way to generate secret key programmatically to support standard rest/redfish interfaces to enable/disable Google Authenticator.
I see google-authenticator interactive command line version, but if I want to have same configuration programatically how to do it? another way than consuming google-authenticator command line tool
What?
What?
Hi Thomas
I am setting up 2 Factor authentication on a server system. I have integrated google-authenticator pam library into system and modified PAM configuration as suggested. I could use google-authenticator command line tool and generated Secret key which is placed at /home/$user/.google-authenticator and authentication works with TOTPs generated.
now I wanted to integrate this google-authenticator command line tool into a program which gets trigged when Google Authenticator enabled for that user.
how to use this interactive command line tool into a programmatic method so I was asking 1) usually where does this google-authenticator setup secret key needs to happen? 2) is there programmatic approach to setup MFA secret key for users besides this command line tool
my requirement is system may have multiple user and google authenticator can be controlled at user level, When it enabled for one user, then google-authenticator secret key setup needs to done for that user
google-authenticator
CLI, or the sysadmin running it on their behalf, and having them scan the QR code../google-authenticator -t -C -f -d -w 3 -r 3 -R 30
and it generates everything without interactivity. I don't know what you mean by "programmatic".
- Usually by the user running the
google-authenticator
CLI, or the sysadmin running it on their behalf, and having them scan the QR code.- You can run something like
./google-authenticator -t -C -f -d -w 3 -r 3 -R 30
and it generates everything without interactivity. I don't know what you mean by "programmatic".
so system admins run this google-authenticator binary on any other system and upload that secret key into host system which will be used by google-pam module for TOTP authentication ?? or google-authenticator binary needs to run on the same host machine where ever google-pam module consumes Google Authenticator secret key??
one more question, suppose I ran google-authenticator on another system which has different time than device where ever TOTP is generated. basically time is not synced between these two systems then TOTP still works ??
so system admins run this google-authenticator binary on any other system and upload that secret key into host system which will be used by google-pam module for TOTP authentication ??
You can do that. Just use -s tempfile
when you generate them, to control where the secret gets written.
or google-authenticator binary needs to run on the same host machine where ever google-pam module consumes Google Authenticator secret key??
All it does gets written to the file. Doesn't have to be run on a specific machine.
suppose I ran google-authenticator on another system which has different time
google-authenticator
just provisions the secrets. It does not care about the time. Only the PAM module and the mobile app does.
Not that I'd recommend that any of your systems have the wrong time set.
so system admins run this google-authenticator binary on any other system and upload that secret key into host system which will be used by google-pam module for TOTP authentication ??
You can do that. Just use
-s tempfile
when you generate them, to control where the secret gets written.or google-authenticator binary needs to run on the same host machine where ever google-pam module consumes Google Authenticator secret key??
All it does gets written to the file. Doesn't have to be run on a specific machine.
suppose I ran google-authenticator on another system which has different time
google-authenticator
just provisions the secrets. It does not care about the time. Only the PAM module and the mobile app does.Not that I'd recommend that any of your systems have the wrong time set.
Suppose admin run google-authenticator on a remote server and install the same secret key to other host which has google-pam-authenticator pam configuration is setup for 2 factor google authentication is its acceptable? is it not a security concern??
I would not install the same secret key onto multiple servers. It has two main problems:
I would not install the same secret key onto multiple servers. It has two main problems:
- If one server is hacked, then the attacker can now bypass the second factor on the other server.
- If someone (or malware) sees you enter a code on one server, they can reuse that code on another server, within the TOTP time window. They become no longer single use.
ok got it, I am trying to understand the steps admin needs to follow to setup Google Authenticator secret key for a single host system in data centres. I dont find any documentation for the same.
You want a single OTP entry in someone's phone to work on more than one server, yet be secure? Sounds like you need LDAP or something.
You want a single OTP entry in someone's phone to work on more than one server, yet be secure? Sounds like you need LDAP or something.
my question mostly on setting up google authenticator secret key for multiple users on server. shall I generate secret key on laptop by running google-authenticator binary and then install this secret key on the server for each user? or is it security concern ?
That's fine. You'll need to take a screenshot of the QR code when you generate a user's secrets, unless you want them to manually type the secret in, in the app.
You want a single OTP entry in someone's phone to work on more than one server, yet be secure? Sounds like you need LDAP or something.
@ThomasHabets how to enable Google Authenticator for LDAP users? LDAP user does not exist on host system, LDAP user present on remote LDAP server
I've not set up LDAP or PAM with LDAP, so don't know. I would assume that LDAP has a way to use PAM modules like this one, to auth.
I've not set up LDAP or PAM with LDAP, so don't know. I would assume that LDAP has a way to use PAM modules like this one, to auth.
@ThomasHabets can anyone else from this community help on setting up google-authentication with ldap ? Is there any document to help setup google-authentication with LDAP
That's more of a question for the LDAP community: How does one call out to PAM for auth.
That's more of a question for the LDAP community: How does one call out to PAM for auth.
I have ldap authentication working on my system, but I wanted to enable google-authenticator for LDAP setup my question more on how to enable libpam-google-authenticator work with LDAP users
Right, and it sounds like what you want is sshd
->LDAP server->PAM, and the missing piece here is LDAP server->PAM, and that's an LDAP server question.
I am trying to setup 2factor authentication with google-authenticator on host system. where does google-authenticator supposed to run for generating secret key??
run google-authenticator on the same host machine then it generates secret key and store in /home/$user/.google-authenticator file
I want to support this enable/disable google authentication for each user using external interface like rest interfaces.
then how to use this existing google-authenticator? where does this google-authenticator supposed generated secret key? can admin this google-authenticator setup on other machines and install to another host machine??