Welcome to Centmin Mod Community
Become a Member

Security Sysadmin Google Authenticator

Discussion in 'System Administration' started by Jimmy, Feb 6, 2017.

  1. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    1:33 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    There should be an (easy) way to revert that like using kvm maybe ?
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:33 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  3. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:33 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    If folks want to test it out on a TEST CentOS 7 only server with Centmin Mod installed already, I've built custom google-authenticator rpm for CentOS 7 + Centmin Mod LEMP stack environments and uploaded it to https://centminmod.com/centminmodparts/google-authenticator/ postinstall_steps.txt has the rest of setup instructions after installing google-authenticator-1.03-1.el7.centos.x86_64.rpm rpm

    Code (Text):
    yum localinstall google-authenticator-1.03-1.el7.centos.x86_64.rpm
    Loaded plugins: fastestmirror, priorities
    Examining google-authenticator-1.03-1.el7.centos.x86_64.rpm: google-authenticator-1.03-1.el7.centos.x86_64
    Marking google-authenticator-1.03-1.el7.centos.x86_64.rpm to be installed
    Resolving Dependencies
    --> Running transaction check
    ---> Package google-authenticator.x86_64 0:1.03-1.el7.centos will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==========================================================================================================================================================================================================================================================
     Package                                                   Arch                                        Version                                                  Repository                                                                           Size
    ==========================================================================================================================================================================================================================================================
    Installing:
     google-authenticator                                      x86_64                                      1.03-1.el7.centos                                        /google-authenticator-1.03-1.el7.centos.x86_64                                       78 k
    
    Transaction Summary
    ==========================================================================================================================================================================================================================================================
    Install  1 Package
    
    Total size: 78 k
    Installed size: 78 k
    Is this ok [y/d/N]: y
    Downloading packages:
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : google-authenticator-1.03-1.el7.centos.x86_64                                                                                                                                                                                          1/1
      Verifying  : google-authenticator-1.03-1.el7.centos.x86_64                                                                                                                                                                                          1/1
    
    Installed:
      google-authenticator.x86_64 0:1.03-1.el7.centos                                                                                                                                                                                                     
    Complete!

    Code (Text):
    rpm -ql google-authenticator
    /lib64/security/pam_google_authenticator.so
    /usr/bin/google-authenticator
    /usr/share/doc/google-authenticator/FILEFORMAT
    /usr/share/doc/google-authenticator/README.md
    /usr/share/doc/google-authenticator/totp.html


    Code (Text):
    rpm -qa --changelog google-authenticator
    * Mon Feb 06 2017 George Liu <centminmod.com> - 1.03
    - custom 1.03 build for centminmod.com environments
    
    * Wed Jan 13 2016 Dan Molik <dan@d3fy.net> - 1.01
    - A new and updated build for google-authenticator
    
     
    Last edited: Feb 6, 2017
  4. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:33 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    looks like a few corrections needed into the rpms for paths so have to redo rpms heh

    edit: ok rather than change rpm spec file, changed the post install instructions text file outlined here changing the referenced directory from /usr/local/security to /lib64/security
     
    Last edited: Feb 6, 2017
  5. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:33 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    First SSH login prompt is for 2FA code

    securecrt-ssh-keyinteractive-demo-01.png
    Second is for root user password

    securecrt-ssh-keyinteractive-demo-02.png
    Ensure keyboard interactive is first preference in your SSH client i.e. below is for SecureCRT SSH client

    securecrt-ssh-settings-01.png
     
  6. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:33 AM
    1
    10
    ah crap, installed it from your rpm and followed the postinstall instructions now it wont take my code and I cant get back in
     
  7. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:33 AM
    1
    10
    ok so i got back in, my servers time zone is utc and my phone is in -5 est, gonna have to change the server time zone to match mine
     
  8. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:33 AM
    1
    10
    lol, so epic fail on my part, didnt seem to make a difference what the server timezone was as i had entered the key with a typo in GA on my phone. All fixed now, works perfectly.
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:33 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    ah that would be a problem if you kept entering the wrong verification code :)
     
  10. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:33 AM
    1
    10
    oh I did, atleast 10 times or so, my ip is blocked now, have to connect using a vpn, but atleast I can get in. The question now is, how do I unbann my ip?
     
  11. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:33 AM
    1
    10
    Nice it uses csf, removed my ip from csf.deny and now I'm good.

    I really like this, and thanks to @Jimmy and @eva2000 for making this happen.

    I find that using filezilla, and having to enter the verification code/password to be inconvenient as after 1 min im autodisconnected and have to keep doing that over and over. I set the timeout higher in filezilla but it won't follow it, so I'm assuming its a setting on the server side ftp wise.
     
  12. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:33 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  13. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:33 AM
    1
    10
    Ya i'm doing that anyway, tested even uploading with just 1 file at a time, seems after 1 min in between uploads I have to reauthenticate, looked at pure-ftpd.conf and idle timeout is set to 15min, so I'm thinking this could be a filezilla issue. Any ftp client recommendations for macs?
     
  14. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:33 AM
    1
    10
    Whats strange is the timeout doesnt seem to appear in effect as I remain connected to ftp and can navigate directories, the reauthentication comes up when i try to upload, so strange
     
  15. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:33 AM
    1
    10
    Thats interesting, looks like filezilla caches directory listings
     
  16. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:33 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    strange tested myself and have no timeouts or re-prompts, i waited 12+ minutes to idle the connection to sftp with 2FA and re-tried uploading files, and no prompt here in filezilla

    with max 1 connection limit

    upload_2017-2-7_7-49-6.png
     
  17. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:33 AM
    1
    10
    lol, you were right @eva2000, I changed the settings as you said, but initially I left the filezilla window open, it turned out it needed to be closed and reopened for the settings to take effect. Must be a mac thing, but on the bright side I didn't have to go searching for any device drivers (yes this is a cheap shot at windows users) :sneaky:
     
  18. Jimmy

    Jimmy Well-Known Member

    1,695
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +918
    Local Time:
    6:33 PM
    1.17.x
    MariaDB 10.3.x
    @SFLC thank @eva2000 more than me. I just posted the thread because I was interested in this. @eva2000 really did the legwork.:) Honestly I hadn't even thought about the additional setup needed when using Filezilla with 2FA.

    I'm on Linux Desktop, so I can use my file browser to connect. Curious how that's going to work.
     
  19. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:33 AM
    1
    10
    Thats a good question, I don't think thats going to work natively like that,

    maybe check out these

    How To Use SSHFS to Mount Remote File Systems Over SSH | DigitalOcean

    SSHFS - ArchWiki

    I've never used sshfs but I use gcsfuse to mount my google buckets and I really like the concept. Might have to experiment with this in the future, as that would eliminate the need for ftp, I love killing services, it's one of my favorite activities, it can't be hacked if it's not up :cautious:
     
  20. Jimmy

    Jimmy Well-Known Member

    1,695
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +918
    Local Time:
    6:33 PM
    1.17.x
    MariaDB 10.3.x
    :LOL:

    True dat. Let me know how it goes. I won't have time until later this week to fire up a DO VPS to test this out.