Created 2015-08-27 by Hanz Makmur
In our on going effort to increase the security of our Linux account, beginning Fall 2015 the CS Department is adding Google Authenticator as an optional service for users who wants to increase the security of his/her Linux account on a CS Linux machine.
Google Authenticator is a system of Time Based One Time Password from RFC6238. It is often used as part of a Two Factor Authentication for websites such as Google, GMail, FaceBook, DropBox, WordPress, LastPass, Amazon Cloud, and others where a user is required to put a 6 (or more) digit one-time verification token a long with username and password.
In general, for better security, you should enable Two-factor authentication wherever the service is provided. To learn more check Pixel Privacy Two-Factor Authentication explanation.
Requirement
Before you enable Google Authenticator you will need to download the Google Authenticator App for your smart phones, tablets or web browser. The App is available for Android, iOS devices as well as browser extension like Chrome Authenticator or Firefox Authenticator extension.
Activating Google Authenticator on CS Linux Machine.
Once you have an Google Authenticator App, you can now enable google authenticator feature to enable two factor authentication on CS Linux machines simply by typing: google-authenticator
in a terminal window and answer 'y'
on each questions as below:
% google-authenticator Do you want authentication tokens to be time-based (y/n) y https://www.google...@YOURHOSTNAME%3Fsecret%3DWYD4SYCGEE5N4M3LA Your new secret key is: WYD4SYCGEE5N4M3LA Your verification code is 163127 Your emergency scratch codes are: 40186300 18418071 87502143 30873576 00892542 Do you want me to update your "/path/homedir/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
This process generates file named .google-authenticator
in your home directory.
Note:If you are XTerm, you should see QR codes on the screen as shown above.
At this time you can use your your Google Authenticator and scan the code you see on the screen or copy/paste the link you see to a browser to verify and complete the activation.
Testing Your Authenticator
To test your Google Authenticator, open a new ssh session and enter your username. The prompt will ask you for a verification code and then your password. Make sure you enter your Google Authenticator code when you are asked for verification code. If you make a mistake, you have to do it all over again. The code can only be used once. Make sure you wait for a new verification code before you enter it.
Note: On an SSH session, the verification code is asked before your password, otherwise, verification code will be asked after your password is entered.
Tips and Tricks
- If you would like to use just 1 authenticator code for all CS Linux System, you can copy the
.google-authenticator
file to your home directory to each cluster. When google authenticator is enabled on the machine, it will automatically take effect. - If for some reasons you need to turn off google authenticator, simply remove
.google-authenticator
file and it will no longer work.
For help with our systems or If you need immediate assistant, visit LCSR Operator at CoRE 235 or call 848-445-2443. Otherwise, see CS HelpDesk. Don’t forget to include your NetID along with descriptions of your problem.