CentOSの認証にTOTPを使う
個人的なメモを残しておきます。
前準備
$ sudo yum -y groupinstall "Development Tools" $ sudo yum -y install pam-devel
Google Authenticatorのpamモジュールをインストールする
$ git clone https://github.com/google/google-authenticator-libpam.git
$ cd google-authenticator-libpam/
$ ./bootstrap.sh
$ ./configure
$ make
$ sudo make install
sshdとpamの設定
$ sudo cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/ $ sudo cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bak $ sudo vi /etc/ssh/sshd_config $ sudo diff /etc/ssh/sshd_config /etc/ssh/sshd_config.bak 82,83c82,83 < ChallengeResponseAuthentication yes < #ChallengeResponseAuthentication no --- > #ChallengeResponseAuthentication yes > ChallengeResponseAuthentication no $ sudo sshd -t $ sudo systemctl restart sshd $ sudo vi /etc/pam.d/google-auth $ cat /etc/pam.d/google-auth #%PAM-1.0 auth required pam_env.so auth sufficient pam_google_authenticator.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so $ sudo cp -p /etc/pam.d/sshd /etc/pam.d/sshd.bak $ sudo vi /etc/pam.d/sshd $ sudo diff /etc/pam.d/sshd /etc/pam.d/sshd.bak 3c3 < #auth substack password-auth --- > auth substack password-auth 21,22d20 < auth substack google-auth
OTPの設定(このときにQRコードも表示されるのでアプリを設定する)
$ google-authenticator
sudoにも適用してみよう
$ sudo cp /etc/pam.d/sudo /etc/pam.d/sudo.bak
$ sudo vi /etc/pam.d/sudo
$ diff /etc/pam.d/sudo /etc/pam.d/sudo.bak
2d1
< auth substack google-auth