There should be an (easy) way to revert that like using kvm maybe ?
outdated a bit as github repo has changed - i use my guide at heh 2FA for centminmod · GitHub but the guide you linked to has explanations you want to read
If folks want to test it out on a TEST CentOS 7 only server with Centmin Mod installed already, I've built custom google-authenticator rpm for CentOS 7 + Centmin Mod LEMP stack environments and uploaded it to https://centminmod.com/centminmodparts/google-authenticator/ postinstall_steps.txt has the rest of setup instructions after installing google-authenticator-1.03-1.el7.centos.x86_64.rpm rpm Code (Text): yum localinstall google-authenticator-1.03-1.el7.centos.x86_64.rpm Loaded plugins: fastestmirror, priorities Examining google-authenticator-1.03-1.el7.centos.x86_64.rpm: google-authenticator-1.03-1.el7.centos.x86_64 Marking google-authenticator-1.03-1.el7.centos.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package google-authenticator.x86_64 0:1.03-1.el7.centos will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================================================================================================================================================== Package Arch Version Repository Size ========================================================================================================================================================================================================================================================== Installing: google-authenticator x86_64 1.03-1.el7.centos /google-authenticator-1.03-1.el7.centos.x86_64 78 k Transaction Summary ========================================================================================================================================================================================================================================================== Install 1 Package Total size: 78 k Installed size: 78 k Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : google-authenticator-1.03-1.el7.centos.x86_64 1/1 Verifying : google-authenticator-1.03-1.el7.centos.x86_64 1/1 Installed: google-authenticator.x86_64 0:1.03-1.el7.centos Complete! Code (Text): rpm -ql google-authenticator /lib64/security/pam_google_authenticator.so /usr/bin/google-authenticator /usr/share/doc/google-authenticator/FILEFORMAT /usr/share/doc/google-authenticator/README.md /usr/share/doc/google-authenticator/totp.html Code (Text): rpm -qa --changelog google-authenticator * Mon Feb 06 2017 George Liu <centminmod.com> - 1.03 - custom 1.03 build for centminmod.com environments * Wed Jan 13 2016 Dan Molik <dan@d3fy.net> - 1.01 - A new and updated build for google-authenticator
looks like a few corrections needed into the rpms for paths so have to redo rpms heh edit: ok rather than change rpm spec file, changed the post install instructions text file outlined here changing the referenced directory from /usr/local/security to /lib64/security
First SSH login prompt is for 2FA code Second is for root user password Ensure keyboard interactive is first preference in your SSH client i.e. below is for SecureCRT SSH client
ah crap, installed it from your rpm and followed the postinstall instructions now it wont take my code and I cant get back in
ok so i got back in, my servers time zone is utc and my phone is in -5 est, gonna have to change the server time zone to match mine
lol, so epic fail on my part, didnt seem to make a difference what the server timezone was as i had entered the key with a typo in GA on my phone. All fixed now, works perfectly.
oh I did, atleast 10 times or so, my ip is blocked now, have to connect using a vpn, but atleast I can get in. The question now is, how do I unbann my ip?
Nice it uses csf, removed my ip from csf.deny and now I'm good. I really like this, and thanks to @Jimmy and @eva2000 for making this happen. I find that using filezilla, and having to enter the verification code/password to be inconvenient as after 1 min im autodisconnected and have to keep doing that over and over. I set the timeout higher in filezilla but it won't follow it, so I'm assuming its a setting on the server side ftp wise.
For ftp/sftp probably need to set it to max 1 simultaneous connection and data transfer otherwise, multiple concurrent connections may trigger multiple verification alerts. i.e. winscp http://superuser.com/questions/1116...ual-factor-reauthentication?noredirect=1&lq=1
Ya i'm doing that anyway, tested even uploading with just 1 file at a time, seems after 1 min in between uploads I have to reauthenticate, looked at pure-ftpd.conf and idle timeout is set to 15min, so I'm thinking this could be a filezilla issue. Any ftp client recommendations for macs?
Whats strange is the timeout doesnt seem to appear in effect as I remain connected to ftp and can navigate directories, the reauthentication comes up when i try to upload, so strange
strange tested myself and have no timeouts or re-prompts, i waited 12+ minutes to idle the connection to sftp with 2FA and re-tried uploading files, and no prompt here in filezilla with max 1 connection limit
lol, you were right @eva2000, I changed the settings as you said, but initially I left the filezilla window open, it turned out it needed to be closed and reopened for the settings to take effect. Must be a mac thing, but on the bright side I didn't have to go searching for any device drivers (yes this is a cheap shot at windows users)
@SFLC thank @eva2000 more than me. I just posted the thread because I was interested in this. @eva2000 really did the legwork. Honestly I hadn't even thought about the additional setup needed when using Filezilla with 2FA. I'm on Linux Desktop, so I can use my file browser to connect. Curious how that's going to work.
Thats a good question, I don't think thats going to work natively like that, maybe check out these How To Use SSHFS to Mount Remote File Systems Over SSH | DigitalOcean SSHFS - ArchWiki I've never used sshfs but I use gcsfuse to mount my google buckets and I really like the concept. Might have to experiment with this in the future, as that would eliminate the need for ftp, I love killing services, it's one of my favorite activities, it can't be hacked if it's not up
True dat. Let me know how it goes. I won't have time until later this week to fire up a DO VPS to test this out.