This shows you the differences between two versions of the page.
— |
howtos:google_authenticator [d/m/Y H:i] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | Get the software: | ||
+ | |||
+ | <code> | ||
+ | apt-get install gcc mercurial libpam0g-dev -y | ||
+ | </code> | ||
+ | |||
+ | Compile the PAM module: | ||
+ | |||
+ | <code> | ||
+ | cd google-authenticator/libpam/ | ||
+ | make install | ||
+ | </code> | ||
+ | |||
+ | Now apply the PAM module to one of your authentication mechanisms (sshd, ppp, samba or what ever you have in /etc/pam.d): | ||
+ | |||
+ | <code> | ||
+ | vi /etc/pam.d/sshd | ||
+ | </code> | ||
+ | |||
+ | and append this to the file sshd: | ||
+ | |||
+ | <file> | ||
+ | auth required pam_google_authenticator.so | ||
+ | </file> | ||
+ | |||
+ | |||
+ | You can disable the 2-factor login by appending these two lines: | ||
+ | |||
+ | <file> | ||
+ | auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf | ||
+ | auth required pam_google_authenticator.so | ||
+ | </file> | ||
+ | |||
+ | In the file /etc/security/access-local.conf you can add the following to skip 2-factor for the network 10.0.0.0/24: | ||
+ | |||
+ | <file> | ||
+ | + : ALL : 10.0.0.0/24 | ||
+ | + : ALL : LOCAL | ||
+ | - : ALL : ALL | ||
+ | </file> | ||
+ | |||