Security Sysadmin Google Authenticator

brilliant, works like a charm,

- Installed osxfuse, for non mac people install the appropriate prerequisite from here

How To Use SSHFS to Mount Remote File Systems Over SSH | DigitalOcean

---

- create a folder somewhere -> LOCAL_MOUNT_POINT
- created an alias for this: sudo sshfs root@xxx.xxx.xxx.xxx:/ {LOCAL_MOUNT_POINT} -C -p {port} -o allow_other

as the command from the first link is malformed, change your port/mount point in the above command

run the command and it should work interactively, GA auth code, then pwd and then its good, tested uploading and downloading and didnt have to reauth.

unmounting is allegedly done by:

fusermount -u LOCAL_MOUNT_POINT

cant verify the unmounting with fusermount as my mac doesnt know what fusermount is, and since I can't be bothered to research why, I tried:

sudo umount LOCAL_MOUNT_POINT

and that worked

now time to assassinate pure-ftp

 

I wont be experimenting with this on boot as I don't need access often enough to justify it and with the GA I dont know how that would work, Its not worth it to basically have to pull out my phone everytime i restart my computer

 

just an update so far on sshfs, it works, but is kinda slow, directory listings take 10 seconds on average for every directory and the more content the directory has, the longer it takes. It's definitely a lot faster to use ftp, but at the same time, this in my case, could be caused by another factor

 

Just tried that, no change. To be honest, it's still usable, just more annoying than anything

 

ya fair enough @eva2000 i noticed after a google search a lot of people complaining about this

 

I thought Google Auth was linked to your Google Account? Is it not?

So when I loose my Phone, i can sync it with my Google Account.. Otherwise, fuck that sucks lol

 

Shit.

My eyes just opened, i need to get backup codes on all services I have it connected to now, and print them out...

 

Gotta research how to do that myself, as I don't have them, they're entered in GA on my phone, I can't recover them directly from the app, and my phones not rooted so I can't access the db file directly for GA.

 

The only way (after researching this for two hours now) seems to be having a rooted phone to export it as a backup. Or by exporting backup codes, but this is needed from EACH website.. If you have it on a couple of websites, then it becomes a issue..

 

That's interesting one, need to get it ASAP..

Wait, it costs? Then you need to pay for it on each phone you want it.. meh lol.

 

Makes sense, it sucks as the main reason why I don't want to root is that I'd lose the ability to do OTA updates

 

hey @eva2000, in 2FA for centminmod · GitHub

shouldn't line 5 be git clone not just git

 

Hi there

I tried enabling TFA on my CMM VPS using the guide Jimmy linked to initially.

Firstly I corrected the servers time zone to match my own using the CMM guide

YUM installed the GA package okay. Calling Google Authenticator afterwards got me the GA config setup all right - and I provided input as prompted. Lastly I amended the related files cf the guide and restarted the SSH service.

In short I followed the guide step by step

However, I don't get prompted for a TFA auth when logging into my CMM server.

I then tried this recommended step added as a guide comment:

/etc/pam.d/sshd
And add the following line at the top
auth required pam_google_authenticator.so

Restarted SSH service.

Still no luck.

I'm new to CMM and just trying to get a best practice in place with this extra security layer.

Any of you guys got ideas to get this going - should I unwind (any of) the steps already taken and reapproach this differently, or...?

FYI I only get the default password prompt for my root user when I login - nothing else. Can this be a matter of somehow sorting the order of the 'auth mechanisms' on the server to make TFA trigger auth trigger before the default password login...?

Plain guesswork on my part and I suppose the order should not matter. Please advice and share any insights.

Thanks!!

 

Same here.

After installed with instructions from here Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7 , i can't connect to server. it asks the server password but returns as wrong even it is true 100% because i login on local. sshd services can't accept the password so i can't see any input for TFA code.