在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称(OpenSource Name):google/google-authenticator-libpam开源软件地址(OpenSource Url):https://github.com/google/google-authenticator-libpam开源编程语言(OpenSource Language):C 89.9%开源软件介绍(OpenSource Introduction):Google Authenticator PAM moduleExample PAM module demonstrating two-factor authentication for logging into servers via SSH, OpenVPN, etc… This project is not about logging in to Google, Facebook, or other TOTP/HOTP second factor systems, even if they recommend using the Google Authenticator apps. HMAC-Based One-time Password (HOTP) is specified in RFC 4226 and Time-based One-time Password (TOTP) is specified in RFC 6238. Build & install./bootstrap.sh
./configure
make
sudo make install If you don't have access to "sudo", you have to manually become "root" prior to calling "make install". Setting up the PAM module for your systemFor highest security, make sure that both password and OTP are being requested
even if password and/or OTP are incorrect. This means that at least the first
of If you use HOTP (counter based as opposed to time based) then add the option
Add this line to your PAM configuration file:
Setting up a userRun the If your system supports the "libqrencode" library, you will be shown a QRCode that you can scan using the Android "Google Authenticator" application. If your system does not have this library, you can either follow the URL that
In either case, after you have added the key, click-and-hold until the context menu shows. Then check that the key's verification value matches (this feature might not be available in all builds of the Android application). Each time you log into your system, you will now be prompted for your TOTP code
(time based one-time-password) or HOTP (counter-based), depending on options
given to During the initial roll-out process, you might find that not all users have created a secret key yet. If you would still like them to be able to log in, you can pass the "nullok" option on the module's command line:
Encrypted home directoriesIf your system encrypts home directories until after your users entered their password, you either have to re-arrange the entries in the PAM configuration file to decrypt the home directory prior to asking for the OTP code, or you have to store the secret file in a non-standard location:
would be a possible choice. Make sure to set appropriate permissions. You also have to tell your users to manually move their .google_authenticator file to this location. In addition to "${USER}", the When using the The Module optionssecret=/path/to/secret/fileSee "encrypted home directories", above. authtok_prompt=promptOverrides default token prompt. If you want to include spaces in the prompt, wrap the whole argument in square brackets:
user=some-userForce the PAM module to switch to a hard-coded user id prior to doing any file
operations. Commonly used with no_strict_ownerDANGEROUS OPTION! By default the PAM module requires that the secrets file must be owned the user
logging in (or if This option can be used to allow daemons not running as root to still handle configuration files not owned by that user, for example owned by the users themselves. allowed_perm=0nnnDANGEROUS OPTION! By default, the PAM module requires the secrets file to be readable only by the owner of the file (mode 0600 by default). In situations where the module is used in a non-default configuration, an administrator may need more lenient file permissions, or a specific setting for their use case. debugEnable more verbose log messages in syslog. try_first_pass / use_first_pass / forward_passSome PAM clients cannot prompt the user for more than just the password. To
work around this problem, this PAM module supports stacking. If you pass the
In turn, noskewadjIf you discover that your TOTP code never works, this is most commonly the result of the clock on your server being different from the one on your Android device. The PAM module makes an attempt to compensate for time skew. You can teach it about the amount of skew that you are experiencing, by trying to log it three times in a row. Make sure you always wait 30s (but not longer), so that you get three distinct TOTP codes. Some administrators prefer that time skew isn't adjusted automatically, as doing so results in a slightly less secure system configuration. If you want to disable it, you can do so on the module command line:
no_increment_hotpDon't increment the counter for failed HOTP attempts. Normally you should set this so failed password attempts by an attacker without a token don't lock out the authorized user. nullokAllow users to log in without OTP, if they haven't set up OTP yet. PAM requires at least one echo_verification_codeBy default, the PAM module does not echo the verification code when it is
entered by the user. In some situations, the administrator might prefer a
different behavior. Pass the If you would like verification codes that are counter based instead of
timebased, use the grace_period=secondsIf present and non-zero, provide a grace period during which a second verification code will not be requested. Try setting seconds to 86400 to allow a full-day between requesting codes; or 3600 for an hour. This works by adding an (IP address, timestamp) pair to the security file after a successful one-time-password login; only the last ten distinct IP addresses are tracked. allow_readonlyDANGEROUS OPTION! With this option an attacker with ability to fill up the filesystem (flood server with web requests, or if they have an account just fill the disk up) can force a situation where one-time-passwords can be reused, defeating the purpose of "one time". By default, if the |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论