Tag Archives: otp

Google authenticator on Raspberry Pi

Google authenticator logoAfter adding ssh keys as I try to always do on my systems I went on to installing the Google authenticator module.

Install and setup
construct:~# apt-cache search google-authenticator
libpam-google-authenticator - Two-step verification
construct:~# apt-get install libpam-google-authenticator

then as my user I just run google-authenticator to set it up:
henrik@construct ~ $ google-authenticator
Continue reading


Google authenticator on FreeBSD

I wanted to give this a quick try and this is how I did:
(not much deviate from any other howto on the subject..)

Compile the port
test3# uname -a
FreeBSD test3.xxxxx.se 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
test3# cd /usr/ports/security/pam_google_authenticator/
test3# make all install distclean && rehash
I just used the default settings while compiling.

Add the pam module
auth required /usr/local/lib/pam_google_authenticator.so

To /etc/pam.d/sshd

I then went to /etc/ssh/sshd_config and removed the comment on
ChallengeResponseAuthentication yes

Restart sshd
test3# /etc/rc.d/sshd restart
Stopping sshd.
Starting sshd.

Set up the user
> google-authenticator
google-authenticator: Command not found.
> rehash
> google-authenticator
Your new secret key is: PKZ2JNIV6JXXX3SEC
Your verification code is 1266323
Your emergency scratch codes are:

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Setup the phone
Scan the QR code in the url above or add it manually to google authenticator on your phone and you are good to go.

And finally, login and get prompted for the otp code
[mbp:~] henrik% ssh
Verification code:

Easy peasy!