Google authenticator on FreeBSD

I wanted to give this a quick try and this is how I did:
(not much deviate from any other howto on the subject..)

Compile the port
test3# uname -a
FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011 i386
test3# cd /usr/ports/security/pam_google_authenticator/
test3# make all install distclean && rehash
I just used the default settings while compiling.

Add the pam module
auth required /usr/local/lib/

To /etc/pam.d/sshd

I then went to /etc/ssh/sshd_config and removed the comment on
ChallengeResponseAuthentication yes

Restart sshd
test3# /etc/rc.d/sshd restart
Stopping sshd.
Starting sshd.

Set up the user
> google-authenticator
google-authenticator: Command not found.
> rehash
> google-authenticator|0&cht=qr&chl=otpauth://totp/
Your new secret key is: PKZ2JNIV6JXXX3SEC
Your verification code is 1266323
Your emergency scratch codes are:

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Setup the phone
Scan the QR code in the url above or add it manually to google authenticator on your phone and you are good to go.

And finally, login and get prompted for the otp code
[mbp:~] henrik% ssh
Verification code:

Easy peasy!


Leave a Reply

Your email address will not be published. Required fields are marked *