Google-Authenticator from EPEL

EPEL

About EPEL

EPEL was started because many Fedora contributors wanted to use the Fedora packages they maintain on Red Hat Enterprise Linux (RHEL) and its compatible derivatives.

Goals of the EPEL Effort

Make high quality packages that have been developed, tested, and improved in Fedora available for RHEL and compatible derivatives such as CentOS and Scientific Linux.

Work closely with the Fedora Project to achieve this goal -- use the same guidelines, rules, policies, and infrastructure, as far as possible.

If we hit problems, solve the problems with the other parties and groups of Fedora, such as Packaging Committee, instead of creating EPEL-only solutions; EPEL-only solutions introduce confusion for packagers and users, and make porting packages between Fedora and EPEL harder.

For the rare cases where it is not possible or desired to remain synchronized with Fedora, maintain add-on documents for EPEL that describe the differences and the reasons for them.

Who Needs These Packages

Enterprise Linux User/Administrator Perspective

Every user and admin has experienced at least one desired package not being included and supported in RHEL. This project gives you a place to promote, support, and benefit from packages that exist in Fedora and were not included in a RHEL version.

Whether it is a package your company needs as part of its standard install, or software you want available so you and your users can do your work and have your fun, Fedora enterprise packages are a good method to build support and community around particular software needs.

Community Perspective

Many members of the Fedora community are also users/administrators of enterprise-Linux based distributions that are derived from Fedora, such as RHEL and CentOS. Everyone has their own reasons for promoting a particular piece of software. EPEL packages are the best way to gain users and support from enterprise Linux users.

ISV/IHV Perspective

The benefits of building upon EPEL as an ISV or IHV have great potential. If your software package currently packages its own copies of open source libraries or well-known tools, you can rely upon EPEL to provide those packages. For example, Perl modules are often needed and repackaged, yet can be available through EPEL instead. You let dependencies be met by EPEL, and your team concentrates on what they do best: develop, support, and provide your product(s).

Additionally, if you are on an ISV/IHV team that utilizes open source software packages to deliver your products, you have the opportunity to contribute to EPEL. This ensures a community of support, review, and testing for packages that your customers depend on for your products.

For independent software and hardware vendors, this is how you get your software into the enterprise ecosystem:

Use the Fedora process to get your favorite software in to the repository:
Get an entirely new package into Fedora.
Become a co-maintainer for the package you want to have enterprise-level longevity.
Package a free and open source library or other shareable software source to build a community around your applications.
Gain the additional six to twelve months of Fedora testing and feedback.
Be ready for RHEL beta testing before the alpha snapshot is taken, gaining another three to six months lead time.
Ship your enterprise-ready version with the RHEL GA.
Ongoing support and package maintenance is a part of your free and open source development process, along with advancing the technology in parallel in Fedora.

Academia Perspective

Aside from the usual need for software that wasn't included in RHEL, there is a large opportunity for academia to provide students with learning opportunities beyond piecemeal open source project experience.

Where a typical free and open source learning experience for a student might be to dive into coding or documentation, Fedora enterprise packaging is one way to gain cross-over experience. The real-world, hands-on experience includes supporting a free and open source community and user base, creating an enterprise community around the software, and managing feature enhancements, bug fixes, and security updates across all communities.

Red Hat Perspective

This is a simple imagination exercise.

Imagine you are a company that enables a large, fully open and free Linux based distribution for the general world communities (cf. Fedora), while supporting a large, fully open Linux based distribution for its customers (cf. RHEL).

Imagine that what is in your enterprise distribution is what you think you can support for your customers, and is influenced by what those customers are asking for. Would it be in your best interest, or the best interest of your customers, to pull in every single software package you possibly could? Would you be able to provide QA and support on such a large package set?

Imagine that it is easier to pick your package set (the ones you support), and to enable the promotion and community support of enterprise-quality packages.

If you look around, you see that people have put in great effort to provide these packages that did not make it into RHEL. The Fedora enterprise packages are a way of enabling, growing, and honoring the work that has come before.

Package needed

• qrencode

qrencode

• google-authenticator

google-authenticator

google-authenticator-libpam

Follow the instruction on Github to configure, make && make install

or Get it from EPEL:<kbd style="font-size: 1em; font-family: monospace, monospace;">yum install google-authenticator</kbd>

<pre style="font-size: 15.96px; font-family: consolas, Menlo, "Microsoft YaHei", monospace; color: rgb(68, 68, 68); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; background-color: rgb(255, 250, 233);">[root@rhel6 ~]# yum search qrencode
Loaded plugins: product-id, refresh-packagekit, search-disabled-repos, security,
: subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
============================ N/S Matched: qrencode =============================
qrencode.x86_64 : Generate QR 2D barcodes
qrencode-devel.i686 : QR Code encoding library - Development files
qrencode-devel.x86_64 : QR Code encoding library - Development files
qrencode-libs.i686 : QR Code encoding library - Shared libraries
qrencode-libs.x86_64 : QR Code encoding library - Shared libraries

Name and summary matches only, use "search all" for everything.
[root@rhel6 ~]# yum install qrencode qrencode-devel qrencod-libs
Loaded plugins: product-id, refresh-packagekit, search-disabled-repos, security,
: subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Setting up Install Process
No package qrencod-libs available.
Resolving Dependencies
--> Running transaction check
---> Package qrencode.x86_64 0:3.4.2-1.el6 will be installed
--> Processing Dependency: libqrencode.so.3()(64bit) for package: qrencode-3.4.2-1.el6.x86_64
---> Package qrencode-devel.x86_64 0:3.4.2-1.el6 will be installed
--> Running transaction check
---> Package qrencode-libs.x86_64 0:3.4.2-1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
qrencode x86_64 3.4.2-1.el6 epel 17 k
qrencode-devel x86_64 3.4.2-1.el6 epel 11 k
Installing for dependencies:
qrencode-libs x86_64 3.4.2-1.el6 epel 50 k

Transaction Summary

Install 3 Package(s)

Total download size: 78 k
Installed size: 169 k
Is this ok [y/N]: y
Downloading Packages:
(1/3): qrencode-3.4.2-1.el6.x86_64.rpm | 17 kB 00:00
(2/3): qrencode-devel-3.4.2-1.el6.x86_64.rpm | 11 kB 00:00
(3/3): qrencode-libs-3.4.2-1.el6.x86_64.rpm | 50 kB 00:00

Total 129 kB/s | 78 kB 00:00
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
Userid : EPEL (6) epel@fedoraproject.org
Package: epel-release-6-8.noarch (@/epel-release-latest-6.noarch)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : qrencode-libs-3.4.2-1.el6.x86_64 1/3
Installing : qrencode-3.4.2-1.el6.x86_64 2/3
Installing : qrencode-devel-3.4.2-1.el6.x86_64 3/3
Verifying : qrencode-libs-3.4.2-1.el6.x86_64 1/3
Verifying : qrencode-3.4.2-1.el6.x86_64 2/3
Verifying : qrencode-devel-3.4.2-1.el6.x86_64 3/3

Installed:
qrencode.x86_64 0:3.4.2-1.el6 qrencode-devel.x86_64 0:3.4.2-1.el6

Dependency Installed:
qrencode-libs.x86_64 0:3.4.2-1.el6

Complete!
[root@rhel6 ~]# yum install google-authenticator
Loaded plugins: product-id, refresh-packagekit, search-disabled-repos, security,
: subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
google-authenticator x86_64 0-0.3.20110830.hgd525a9bab875.el6 epel 26 k

Transaction Summary

Install 1 Package(s)

Total download size: 26 k
Installed size: 51 k
Is this ok [y/N]: y
Downloading Packages:
google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x | 26 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86 1/1
Verifying : google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86 1/1

Installed:
google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6

Complete!

</pre>

<pre style="font-size: 15.96px; font-family: consolas, Menlo, "Microsoft YaHei", monospace; color: rgb(68, 68, 68); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; background-color: rgb(255, 250, 233);">[root@rhel6 ~]# google-authenticator
https://www.google.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
『****
‖**‖
‖*****‖
‖*****‖
‖*****‖
‖*****‖
‖*****‖
‖*****‖
‖*****‖
‖*****‖
‖*****‖
‖*****‖
‖*****‖
‖*****‖
‖*****‖
‖*****』(this is a QR code)

Your new secret key is: XXXXXXXXXXXXXXXX
Your verification code is XXXXXX
Your emergency scratch codes are:
XXXXXXXX
XXXXXXXX
XXXXXXXX
XXXXXXXX
XXXXXXXX

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
[root@rhel6 ~]#

</pre>

配置sshd使用google-authenticator验证

• 查询pam动态库是否已默认加载目录

<pre style="font-size: 15.96px; font-family: consolas, Menlo, "Microsoft YaHei", monospace; color: rgb(68, 68, 68); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; background-color: blue;">[root@rhel6 ~]# find / | grep pam_google_authenticator.so
/lib64/security/pam_google_authenticator.so

</pre>

if necessary:

[root@rhel6 ~]# cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/

• Edit /etc/pam.d/sshd

add to FIRST line below

<pre style="font-size: 15.96px; font-family: consolas, Menlo, "Microsoft YaHei", monospace; color: rgb(68, 68, 68); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; background-color: blue;">auth required pam_google_authenticator.so

</pre>

• Edit /etc/ssh/sshd_config

<pre style="font-size: 15.96px; font-family: consolas, Menlo, "Microsoft YaHei", monospace; color: rgb(68, 68, 68); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; background-color: blue;">ChallengeResponseAuthentication yes

</pre>

• sshd restart

<pre style="font-size: 15.96px; font-family: consolas, Menlo, "Microsoft YaHei", monospace; color: rgb(68, 68, 68); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; background-color: blue;">service sshd restart

</pre>

Then how to use to login

I. if Linux, UNIX, BSD, Mac OS X or even Cygwin on Windows

Type in terminal:<kbd style="font-size: 1em; font-family: monospace, monospace;">ssh username@ip</kbd>

<pre style="font-size: 15.96px; font-family: consolas, Menlo, "Microsoft YaHei", monospace; color: rgb(68, 68, 68); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; background-color: rgb(255, 250, 233);">[jiajianing@MacPro ~]# ssh root@192.168.2.128
Verification code:xxxxxxxxxxxxx[Enter wrong code intentionally]
Password:xxxxxxxxxxx
Verfication code:xxxxxxxxxxxx[Enter code correctly]
Password:xxxxxxxxxxxxxx
Last login: xx xx xx xx:xx:xx xxxx from xx

</pre>

II. if Xshell

<pre style="font-size: 15.96px; font-family: consolas, Menlo, "Microsoft YaHei", monospace; color: rgb(68, 68, 68); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; background-color: rgb(255, 250, 233);">Xshell for Xmanager Enterprise 4 (Build 0211)
Copyright (c) 2002-2013 NetSarang Computer, Inc. All rights reserved.

Type `help' to learn how to use Xshell prompt.
Xshell:> ssh root@192.168.2.128

Connecting to 192.168.2.128:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

</pre>

Pop a Windows when password is needed

remember choose Keyboard Interactive(I)使用键盘输入身份验证

and then Verification code and Password.