Learn about Centmin Mod LEMP Stack today
Register Now

Security Sysadmin Google Authenticator

Discussion in 'System Administration' started by Jimmy, Feb 6, 2017.

  1. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:44 AM
    1
    10
    brilliant, works like a charm,

    - Installed osxfuse, for non mac people install the appropriate prerequisite from here

    How To Use SSHFS to Mount Remote File Systems Over SSH | DigitalOcean

    - create a folder somewhere -> LOCAL_MOUNT_POINT
    - created an alias for this: sudo sshfs root@xxx.xxx.xxx.xxx:/ {LOCAL_MOUNT_POINT} -C -p {port} -o allow_other

    as the command from the first link is malformed, change your port/mount point in the above command

    run the command and it should work interactively, GA auth code, then pwd and then its good, tested uploading and downloading and didnt have to reauth.

    unmounting is allegedly done by:

    fusermount -u LOCAL_MOUNT_POINT

    cant verify the unmounting with fusermount as my mac doesnt know what fusermount is, and since I can't be bothered to research why, I tried:

    sudo umount LOCAL_MOUNT_POINT

    and that worked

    now time to assassinate pure-ftp
     
  2. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:44 AM
    1
    10
    I wont be experimenting with this on boot as I don't need access often enough to justify it and with the GA I dont know how that would work, Its not worth it to basically have to pull out my phone everytime i restart my computer
     
  3. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:44 AM
    1
    10
    just an update so far on sshfs, it works, but is kinda slow, directory listings take 10 seconds on average for every directory and the more content the directory has, the longer it takes. It's definitely a lot faster to use ftp, but at the same time, this in my case, could be caused by another factor
     
  4. Jimmy

    Jimmy Well-Known Member

    1,695
    365
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +918
    Local Time:
    6:44 PM
    1.17.x
    MariaDB 10.3.x
    I wonder if csf is the issue? Did you try turning that off and seeing if it improves.
     
  5. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:44 AM
    1
    10
    Just tried that, no change. To be honest, it's still usable, just more annoying than anything
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:44 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    FYI sshfs is known to be slow - it's how it is and only suited to specific tasks and usage not disk heavy
     
  7. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:44 AM
    1
    10
    ya fair enough @eva2000 i noticed after a google search a lot of people complaining about this
     
  8. Oxide

    Oxide Active Member

    518
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:44 AM
    I thought Google Auth was linked to your Google Account? Is it not?

    So when I loose my Phone, i can sync it with my Google Account.. Otherwise, fuck that sucks lol
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:44 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    nope not linked to Google Account
     
  10. Oxide

    Oxide Active Member

    518
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:44 AM
    Shit.

    My eyes just opened, i need to get backup codes on all services I have it connected to now, and print them out...
     
  11. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:44 AM
    1
    10
    Gotta research how to do that myself, as I don't have them, they're entered in GA on my phone, I can't recover them directly from the app, and my phones not rooted so I can't access the db file directly for GA.
     
  12. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:44 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I started with Google Authenticator Plus https://community.centminmod.com/threads/google-authenticator-alternative-authenticator-plus.1739/ which allows syncing to other phones and also exporting all original qrcode account setup codes as encrypted/password protected html/txt file as well as database format. You can use those exported html qrcode accounts and then have them manually added to Authy with account backup sync too. So you have same 2FA codes on all Android sync'd devices + Authy and Authy backup sync :)
     
  13. Oxide

    Oxide Active Member

    518
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:44 AM
    The only way (after researching this for two hours now) seems to be having a rooted phone to export it as a backup. Or by exporting backup codes, but this is needed from EACH website.. If you have it on a couple of websites, then it becomes a issue..
     
  14. Oxide

    Oxide Active Member

    518
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    8:44 AM
    That's interesting one, need to get it ASAP..

    Wait, it costs? Then you need to pay for it on each phone you want it.. meh lol.
     
  15. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:44 AM
    1
    10
    Makes sense, it sucks as the main reason why I don't want to root is that I'd lose the ability to do OTA updates
     
  16. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:44 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    If your Android devices use same account, you only pay for it once. I have 3x Android phones + 3x Android tablets all using same account so paid only once. 1x Android phone and 1x Android tablet is rooted, while rest are non-rooted. I started with rooted phone so easy to sync backups or export to txt file or db which can be imported into other devices not rooted. Then I also set them up in Authy with backup/sync enabled. So multiple safe guards in place so that I have my 2FA account codes when I need them :)
     
  17. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    12:44 AM
    1
    10
  18. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:44 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  19. FluxTux

    FluxTux New Member

    25
    5
    3
    Sep 22, 2019
    Ratings:
    +9
    Local Time:
    12:44 AM
    Hi there

    I tried enabling TFA on my CMM VPS using the guide Jimmy linked to initially.

    Firstly I corrected the servers time zone to match my own using the CMM guide

    YUM installed the GA package okay. Calling Google Authenticator afterwards got me the GA config setup all right - and I provided input as prompted. Lastly I amended the related files cf the guide and restarted the SSH service.

    In short I followed the guide step by step :)

    However, I don't get prompted for a TFA auth when logging into my CMM server.

    I then tried this recommended step added as a guide comment:

    /etc/pam.d/sshd
    And add the following line at the top
    auth required pam_google_authenticator.so

    Restarted SSH service.

    Still no luck.

    I'm new to CMM and just trying to get a best practice in place with this extra security layer.

    Any of you guys got ideas to get this going - should I unwind (any of) the steps already taken and reapproach this differently, or...?

    FYI I only get the default password prompt for my root user when I login - nothing else. Can this be a matter of somehow sorting the order of the 'auth mechanisms' on the server to make TFA trigger auth trigger before the default password login...?

    Plain guesswork on my part and I suppose the order should not matter. Please advice and share any insights.

    Thanks!!
     
  20. negative

    negative Active Member

    384
    46
    28
    Apr 11, 2015
    Ratings:
    +90
    Local Time:
    1:44 AM
    1.9.10
    10.1.11
    Same here.

    After installed with instructions from here Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7 , i can't connect to server. it asks the server password but returns as wrong even it is true 100% because i login on local. sshd services can't accept the password so i can't see any input for TFA code.