5

After a little googling I could see some references of configuring Google Authenticator with Windows Active Directory, however, I could not see how I could do it on Linux/CentOS system.

What would be involved in setting up Google Authenticator on Linux (CentOS) with OpenLDAP or 389 Directory Server?

chandank
  • 847
  • 3
  • 14
  • 31

2 Answers2

5

On most Unix systems you would use the Google Authenticator PAM module to add Google Authenticator capability to your system.

A the moment I believe this is entirely separate from any other authentication such as password files or LDAP centralized authentication -- adding LDAP capability to the PAM module (for centralized secrets) would definitely be a worthwhile programming project, and if you need that sort of centralization and are willing to do the coding to make it happen lots of people would probably appreciate the capability...

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • when I looked at this I also thought it might be a full dev project however I was wondering whether anyone has done is earlier or know any git hub project doing something like that. – chandank Nov 12 '12 at 06:51
  • I was wondering whether it is possible to use google's pam module in conjunction of any ldap authentication stuff. I know I am repeating my question, but is there any way to get closer to this. – chandank Nov 14 '12 at 22:37
  • http://kiteplans.info/2012/04/06/two-factor-ssh-virtualmin-authentication-google-authenticator/ has the implementation as pam module – chandank Nov 19 '12 at 16:16
  • @chandank That's just a step-by-step on how to install the modue I linked to -- it doesn't seem to have anything about centralizing the secret store (in LDAP or otherwise) - or am I missing something? (If you find a centralized LDAP-backed secret store I'd be interested in it too) – voretaq7 Nov 19 '12 at 16:21
  • Yes you are right. I just posted it here in case someone find it useful. – chandank Nov 20 '12 at 17:20
1

TOTPCGI does exactly that -- a centralized infrastructure utilizing Google authenticator tokens. It's used on Fedora project systems.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
mricon
  • 1,154
  • 7
  • 9
  • If you're already running puppet, there's [a quickstart howto](https://github.com/mricon/totp-cgi/blob/master/contrib/puppet/quickstart.rst). Otherwise, just use [general installation instructions](https://github.com/mricon/totp-cgi/blob/master/INSTALL.rst). All packages are in EPEL, so you should be able to yum install everything on Centos. – mricon Dec 13 '12 at 16:48
  • 1
    Thanks, I saw some documentations on gitbut. From what I understand it gives me a centralized google password authenticator, however, I am not sure how it will get integrated with any LDAP service. – chandank Dec 13 '12 at 17:13
  • Depends on what you mean by "integration." One of the features totpcgi supports is authenticating users similarly to how RSA does it. E.g. if your password is "foobar" and your tokencode is "555555" you can enter your password as "foobar555555" and totpcgi will do a LDAP bind to verify the password and then an OTP check to verify the token. – mricon Dec 13 '12 at 17:21