ArtIT Wiki

User Tools

Site Tools

Trace:
2fa_linux

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
2fa_linux [2019/05/02 18:32] admin2fa_linux [2024/10/29 22:58] (current) admin
Line 9: Line 9:
 ''sudo apt install libpam-google-authenticator'' ''sudo apt install libpam-google-authenticator''
  
-Configure pam with ''sudo nano /etc/pam.d/common-auth'' +Configure pam with ''sudo nano /etc/pam.d/common-auth'' and add the following line at the end of the file:\\
  
-and add the following line at the end of the file:\\+''auth required pam_google_authenticator.so nullok''
  
-**auth required pam_google_authenticator.so nullok**\\ +The **''NULLOK''** option gives the option to login without a 2FA code as long a user has not setup 2FA. For the sake of security try not to use this option.
- +
-The **NULLOK** option gives the option to login without a 2FA code as long a user has not setup 2FA. For the sake of security try not to use this option.+
  
 The next step is to configure SSH to be able to login remotely. If you don’t configure this you won’t be able to ssh to your server anymore.  The next step is to configure SSH to be able to login remotely. If you don’t configure this you won’t be able to ssh to your server anymore. 
  
-Enable the PAM module by editing +Enable the PAM module by editing ''nano /etc/pam.d/sshd'' and make sure that ''@include common-auth''  
 +is at the end of the file. The comment usually will be at the top of the file. If you have to login twice you have the argument two times!
  
-**sudo nano /etc/pam.d/sshd** +Set the follwoing lines ''ChallengeResponseAuthentication yes'' and ''UsePAM yes'' in /etc/ssh/sshd_config.
  
-and make sure that +Do a ''systemctl restart sshd'' or ''service sshd restart''
  
-**@include common-auth**+You now have 2 Factor Authentication enabled. 
  
-is at the end of the file and commented out. The comment usually will be at the top of the file. If you have to login twice you have the argument two times!+**NOTE:** By putting the PAM module at the end of the file you will have the challenge after you have entered the password. If you like to first have the challenge, put the 2fa PAM module before the password.
  
-Next head over to +You now have to configure 2FA for every user who needs access to the system. Start configuring your own user and then all other users by doing the following:
  
-**sudo nano /etc/ssh/sshd_config** +Type in the command ''google-authenticator'' 
 +Type ''Y'' for the fist question
  
-and set the follwoing ines+Write down the settings which will be presented (make sure you store them in a save place). These are the rescue settings if you don't get in anymore. Parallel to that open the Google Authenticator on you phone and enter the new settings directly into your Authenticator Settings on your phone. Give it a name (it doesn't have to be an e-mail address) and enter the code you have written down.
  
-**ChallengeResponseAuthentication yes**+Answer the rest of the questions with ''Y'' unless you like to deviate. 
 +Repeat this for every user and __don’t forget your root user__!
  
-**UsePAM yes**+**Do not logoff before you have tested this configuration!** Open a new window and try your new settings.
  
-Do +If everything is working correctly you now have new level of security.
  
-**sudo systemctl restart sshd** +**NOTE:** It is possible to have multiple servers using the same code generated by your phone without adding multiple accounts. Simply replace the content of the file ''/root/.google_authenticator'' or ''/home/your_user/.google_authenticator'' after you have installed and configured the authenticator of the new server. 
  
-or +**To use the Google 2 Factor Authenticator also in your Webmin do the following:**
  
-**sudo service sshd restart**+''nano /etc/webmin/miniserv.conf'' and add the line at the end of the file ''pam_conv=1''
  
-You now have 2 Factor Authentication enabled. +Then do:
  
-**NOTE:** By putting the PAM module at the end of the file you will have the challenge after you have entered the passwordIf you like to first have the challenge, put the 2fa PAM module before the password.+   nano /etc/pam.d/webmin 
 +   auth required pam_google_authenticator.so
  
-You now have to configure 2FA for every user who needs access to the system. Start configuring your own user and then all other users by doing the following:+Restart the Webmin Service with:
  
-  * Type in the command **google-authenticator** +   service webmin restart or systemctl restart webmin
-  * Type **Y** for the fist question+
  
-Write down the settings which will be presented (make sure you store them in a save place). These are the rescue settings if you don't get in anymore. Parallel to that open the Google Authenticator on you phone and enter the new settings directly into your Authenticator Settings on your phone. Give it a name (it doesn't have to be an e-mail address) and enter the code you have written down.+Shoud you have any login problems in Webmin, reset your password with:
  
-Answer the rest of the questions with **Y** unless you like to deviate+   cd /usr/share/webmin 
-Repeat this for every user and __don’t forget your root user__!+   ./changepass.pl /etc/webmin/ username password 
 +   systemctl restart webmin
  
-**Do not logoff before you have tested this configuration!** Open a new window and try your new settings.+If you like to disable 2FA, just comment out ''auth required pam_google_authenticator.so nullok''  
 +in ''/etc/pam.d/common-auth.''
  
-If everything is working correctly you now have a new level of security. 
  
-**NOTE:** It is possible to have multiple servers using the same code generated by your phone without adding multiple accounts. Simply replace the content of the file **/root/.google_authenticator** or **/home/your_user/.google_authenticator** after you have installed and configured the authenticator of the new server. +**USE THIS IF YOU JUST WANT TO HAVE SSH 2FA AUTHENTICATION** 
  
 +*If you just want to enable 2FA for ssh not interfering with other applications do the following:*
 +
 +   apt install libpam-google-authenticator -y
 +
 +   google-authenticator
 +
 +   answer with Yes - Yes - Yes - No - Yes
 +
 +If you want to use a common code for all your machines alter it:
 +
 +   nano /root/.google_authenticator
 +
 +and replace the code according to your other servers at the top of the file
 +
 +   nano /etc/pam.d/sshd
 +   @include common-auth
 +   auth required pam_unix.so no_warn try_first_pass
 +   auth required pam_google_authenticator.so
 +
 +   nano /etc/ssh/sshd_config
 +   ChallengeResponseAuthentication yes
 +   PasswordAuthentication yes
 +   AuthenticationMethods keyboard-interactive (for older Debian versions)
 +   KbdInteractiveAuthentication yes (for newer Dbian versions)
 +   UsePAM yes
 +
 +   service ssh restart
 +
 +Thas all. 
  
 Enjoy,\\ Enjoy,\\
Line 74: Line 105:
 \\ \\
 **[[linux|BACK]]** **[[linux|BACK]]**
- 
2fa_linux.1556814769.txt.gz · Last modified: 2019/05/02 18:32 by admin