On Rocky Linux; –
sudo dnf install epel-release
sudo dnf install google-authenticatorOn Debian/Ubuntu/Linux Mint; –
sudo apt install libpam-google-authenticatorConfigure a Unix User
Each unix user must be configured within their own session. Below generates a ~/.google_authenticator file which has all the user settings for the PAM module.
Configure root; –
root> google-authenticator
...config questions...
...defaults are sane...Add the above serial code to your google auth app which should be backed up to cloud.
You should say yes to rate limiting. The config file will always be in your user home directory.
Prepare For a Recovery
It is best to have multiple sessions of /etc/pam.d/system-auth or /etc/pam.d/common-auth. This prevents you from being locked out of your machine.
Open TTY5. Press CTRL+ALT+F5. You now have a console session. Log in a root user and use vim to edit the system-auth if you are on rocky, or common-account if your are linux mint.
Open TTY4. Press CTRL+ALT+F4. Now edit your main config again like before.
Now that we have two sessions open, if we get locked out we can restore pam with one of the TTY sessions.
Configure PAM
Identify the password prompt config module line. It should look like below; –
auth requisite pam_unix.so nullokDirectly after the above line, we can add the google auth pam module config line.
auth [success=1 default=ignore] pam_google_authenticator.so debug echo_verification_code [authtok_prompt=Token: ] [secret=/var/ga/${USER}/.google_authenticator] no_strict_owner user=root allowed_perm=0600
auth requisite pam_deny.so
auth required pam_success.soThe above is saying to look for the auth config file in the custom /var/ga location. Selinux will block the PAM module if you place it in /etc because of the etc_t context type. Requisite means die if failure.
If the above pam_google_authenticator.so module succeeds, skip 1 line. This results in the pam_success.so module being activated.
The pam config files are like configurable waterfalls that let us control authentication flow.
Migrate Google Config
We migrate all unix user configs to the non-standard /var/ga location.
Create it with the ideal SELinux security attributes below; –
mkdir /var/ga /var/ga/root
mv /root/.google_authenticator /var/ga/root
chcon -t var_auth_t /var/ga
ls -lrtahZ /var/ga
drwxr-xr-x. 4 root root system_u:object_r:var_auth_t:s0 34 Oct 22 16:17 .
drwxr-xr-x. 21 root root system_u:object_r:var_t:s0 4.0K Oct 22 16:28 ..
drwxr-xr-x. 2 root root system_u:object_r:var_auth_t:s0 35 Oct 23 09:16 rootThe var_auth_t will allow the google PAM module to read/write the
.google_authenticator configuration file. If you do not have SELinux you can skip the above chcon command.
Finalize
In the pam_google_authenticator.so line remove the debug flag.
Edit all .google_authenticator configuration files and remove the OTP password tokens. We do not want a backdoor to our system. If we lose our security device token device, then google cloud backups will restore the tokens once we buy a new phone. Another way to recover is to live DVD into the machine and remove multifactor by editing pam.
Conclusion
I hope this helps someone setup their laptop with multifactor. Multifactor authentication is one way to resist ransomware attacks and data breaches.
Leave a Reply