Changes between Version 2 and Version 3 of GoogleAuthenticator


Ignore:
Timestamp:
06/20/11 16:36:39 (13 years ago)
Author:
mshore2@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • GoogleAuthenticator

    v2 v3  
    2020 
    21211. Download source from code.google.com using the instructions at [[http://code.google.com/p/google-authenticator/source/checkout]] 
    22 1. cd into the google-authenticator/libpam directory 
    23 1. type "make" 
    24 1. run it locally to make sure that it built correct.  When it asks if you want to update your "~/.google_authenticator" file, type "n". Note that if you do not see a QR barcode on your screen, libqrencode-dev is not installed.  The interaction should look something like this: 
     222. cd into the google-authenticator/libpam directory 
     233. type "make" 
     244. run it locally to make sure that it built correct.  When it asks if you want to update your "~/.google_authenticator" file, type "n". Note that if you do not see a QR barcode on your screen, libqrencode-dev is not installed.  The interaction should look something like this: 
    2525[[Image(Screenshot-sxmls@google-authenticator.png)]] 
    26265. If it looks healthy, get your secret key provisioned and available to your phone and to your Linux account.  I'm describing the process on an Android phone because that's what I've got.  (Someone may want to add instructions for iPhone or Blackberry): 
     
    3434   1. The last question is whether or not you'd like to limit login attempts to 3 every 30 seconds.  This is to protect against brute-force attacks, in which the attacker tries every value in the space until it gets a match.  Since there are only 1,000,000 possible codes, on average one can be found in only 500,000 guesses.  Since guessing involves absolutely no computation to speak of (integer increment by one is a machine instruction), it's a very good idea to enable rate-limiting here. 
    3535 1. now, verify that it's actually working by running the demo program in the source directory.  When it asks for your Verification code:, type in the six-digit number provided by the Google Authenticator app on your phone.  If it's successful it says nothing and returns you to the prompt.  If it's not successful it prints "Login failed  Invalid verification code" 
    36  
    37   
    38 1 If it looks healthy, with root privileges type "make install".  This will install the pam module in /lib/security and the "google-authenticator" executable in /usr/local/bin. 
     366. If it still looks healthy, with root privileges type "make install".  This will install the pam module in /lib/security and the "google-authenticator" executable in /usr/local/bin. 
     377. You're now ready to configure pam to use Google authenticator as a second auth factor (never, '''ever''' use it as a single authentication mechanism)