Enabling Google Authenticator on CS Linux Machine
Created 2015-08-27 by Hanz Makmur
Google Authenticator
is a system of Time Based One Time Password from RFC6238.
It is often used as part of a Two Factor Authentication for websites such as Google, GMail,
FaceBook, DropBox, WordPress, LastPass, Amazon Cloud, and others where a user is required to put
a 6 (or more) digit one-time verification token a long with username and password.
In our on going effort to increase the security of our Linux account, beginning Fall 2015 the
CS Department is adding Google Authenticator as an optional service for users who wants
to increase the security of his/her Linux account on a CS Linux
machine. In general, for better security, you should enable Two-factor authentication wherever the service is provided. To learn more
check Pixel Privacy Two-Factor Authentication explanation.
Note: This software is currently only running on all Centos 7 Graduate machines as a test. If there is a lot of interest,
it may be deployed on all CS Linux Systems in the future. Please let us know what you think.
Requirement
Before you enable Google Authenticator you will need to download the Google Authenticator App for your smart phones,
tablets or web browser. The App is available for Android,
iOS, BlackBerry devices,
and Windows Phone.
See the appropriate App Store for your devices.
If you do not have a smart phone or tablets, you can also run Google Authenticator as part of
a GAuth addon
for your computer browser, GAuth Webpage or
a portable windows App like JAuth,
WinAuth etc.
Activating Google Authenticator on CS Linux Machine.
Once you have an Google Authenticator App, you can now enable google authenticator feature to enable two factor authentication on CS Linux machines simply by typing:
google-authenticator in a terminal window and answer 'y' on each questions
% google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google...@YOURHOSTNAME%3Fsecret%3DWYD4SYCGEE5N4M3LA
Your new secret key is: WYD4SYCGEE5N4M3LA
Your verification code is 163127
Your emergency scratch codes are:
40186300
18418071
87502143
30873576
00892542
Do you want me to update your "/path/homedir/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
This process generates file named
.google-authenticator in your home directory.
Note:If you are XTerm, you should see QR codes on the screen as shown above.
At this time you can use your your Google Authenticator and scan the code you see on the screen
or copy/paste the link you see to a browser to verify and complete the activation.
Testing Your Authenticator
To test your Google Authenticator, open a new ssh session and enter your username.
The prompt will ask you for a verification code and then your password.
Make sure you enter your Google Authenticator code when you are asked for verification code.
If you make a mistake, you have to do it all over again. The code can only be used once.
Make sure you wait for a new verification code before you enter it.
Note: On an SSH session, the verification code is asked before your password,
otherwise, verification code will be asked after your password is entered.
Tips and Tricks
If you would like to use just 1 authenticator code for all CS Linux System, you can copy
the .google-authenticator file to your home directory to each cluster.
When google authenticator is enabled on the machine, it will automatically take effect.
If for some reasons you need to turn off google authenticator,
simply remove .google-authenticator file and it will no longer work.
Please direct Questions and Problems to help@cs.rutgers.edu