| 25 | | 5. If it looks healthy, with root privileges type "make install" |
| | 26 | 5. If it looks healthy, get your secret key provisioned and available to your phone and to your Linux account. I'm describing the process on an Android phone because that's what I've got. (Someone may want to add instructions for iPhone or Blackberry): |
| | 27 | 1. run ./google-authenticator again |
| | 28 | 1. fire up Google Authenticator on your phone |
| | 29 | 1. if you're generating QR barcodes on the server, choose the phone's Google Authenticator menu item to scan the barcode. Scan the barcode, and click when it notifies you that it found the URL. When the server side google-authenticator asks if you want to update your ~/.google_authenticator file, type "y". |
| | 30 | 1. if you're *not* generating QR barcodes on the server, you'll need to add the account manually based on the data printed out by the server's google-authenticator program |
| | 31 | 1. in either case you'll be asked some questions before google-authenticator updates your ~/.google_authenticator file. |
| | 32 | 1. The first question is whether or not you want to allow a given token value more than once. If you say "y" you won't have to wait for the token value to turn over before authenticating again, but you risk an eavesdropper snagging the token and reusing it before the window closes. The tokens roll over every 30 seconds, so on average you'll have to wait about 15 seconds for a new token if you say "n" |
| | 33 | 1. The second question is about poor time synchronization between your phone and the server. By default, they can be out of sync for up to 90 seconds and the authenticator will still work. If you've got reason to think that your phone and the server might be out-of-sync by more than 90 seconds, answering "y" here increases the tolerable time skew to 4 minutes. |
| | 34 | 1. The last question is whether or not you'd like to limit login attempts to 3 every 30 seconds. This is to protect against brute-force attacks, in which the attacker tries every value in the space until it gets a match. Since there are only 1,000,000 possible codes, on average one can be found in only 500,000 guesses. Since guessing involves absolutely no computation to speak of (integer increment by one is a machine instruction), it's a very good idea to enable rate-limiting here. |
| | 35 | 1. now, verify that it's actually working by running the demo program in the source directory. When it asks for your Verification code:, type in the six-digit number provided by the Google Authenticator app on your phone. If it's successful it says nothing and returns you to the prompt. If it's not successful it prints "Login failed Invalid verification code" |
| | 36 | |
| | 37 | |
| | 38 | 1 If it looks healthy, with root privileges type "make install". This will install the pam module in /lib/security and the "google-authenticator" executable in /usr/local/bin. |
