![]() ![]() Made a faster test with google-authenticator only which looked OK on the first view but there seems a problem with the PAM modul. Copy it to /opt/pakfire/tmp and execute them. In- and unstallation can be made via the scripts in the package. Google-authenticator-1.08, openvpn-otp-1.0 and libqrencode-4.0.0 are now ready and can be found in here ->. Ī downside to the OTP authentication is what i have seen so far, the reneg-sec 3600 (rekeying) was mostly disabled. Have nevertheless found a newer version 1.08, thinking also about to add an own group/user for google-authenticator like in here ->. If you have other building instructions/howtos just post them. so calls also ‘pam_google_authenticator.so’ … Compiled it like described in here -> -> and get the. I think the name differs on distribution. Will build it but this take a little time. Since i am currently no in this topic you may have some more infos on how to find a good setup for this.ĮDIT: Have seen that libqrencode3 is also needed. If you want to give it a try, you can find the IPFire package in here ->. Login attempts, you can enable rate-limiting for the authentication module.īy default, this limits attackers to no more than 3 login attempts every 30s.ĭo you want to enable rate-limiting (y/n) y If the computer that you are logging into isn't hardened against brute-force Size of +-1min (window size of 3) to about +-4min (window size of ![]() Poor time synchronization, you can increase the window from its default Possible time-skew between the client and the server, we allow an extra Your chances to notice or even prevent man-in-the-middle attacks (y/n) yīy default, tokens are good for 30 seconds. Token? This restricts you to one login about every 30s, but it increases W, -minimal-window Disable window of concurrently valid codesĭo you want authentication tokens to be time-based (y/n) new secret key is: 2IQEPLVMILXAEWJY6QOKIMYFZUĭo you want me to update your "/root/.google_authenticator" file? (y/n) yĭo you want to disallow multiple uses of the same authentication w, -window-size=W Set window of concurrently valid codes S, -step-size=S Set interval between token refreshes s, -secret= Specify a non-standard file location R, -rate-time=M Limit logins to N per every M seconds r, -rate-limit=N Limit logins to N per every M seconds i, -issuer= Override the default issuer in "otpauth://" URL l, -label= Override the default label in "otpauth://" URL f, -force Write file without first confirming with user D, -allow-reuse Allow reuse of previously used TOTP tokens d, -disallow-reuse Disallow reuse of previously used TOTP tokens t, -time-based Set up time-based (TOTP) verification ![]() c, -counter-based Set up counter-based (HOTP) verification A first try looks like this: $ /usr/bin/google-authenticator -h Look at the relevant manpages for more information.įor secret storage and retrieval, you can use for example secret-tool from the libsecret-tools package (to store in the GNOME keyring), or any other vault tool you like.Have build google-authenticator-1.02 now. oathtool supports HOTP mode as well, which I am not describing here generating tokens in that mode is a little more involved, as you need to store the number of times a token has been generated, but is still doable. The above assumes tokens are generated in TOTP mode (as most are). To generate tokens, you can invoke oathtool (from the oathtool package) from the command line, like so: oathtool -totp=ALGO -b SECRET -d N -s MM Words written above in capitals are variables that you will need to extract from your actual code. Scanning will return an URI much like the following: otpauth://totp/PROVIDER:ACCOUNT?secret=SECRET&algorithm=ALGO&digits=N&period=MM The image with the QR code can be scanned using zbarimg (or zbarcam), available in the zbar-tools package. If you can obtain the image with the QR code containing the secret, you can achieve the functionality of Google Authenticator with a handful of command-line tools.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |