ID #1198

Can I use Google Authenticator to connect to my cluster?

Can I use Google Authenticator to connect to my cluster?



Yes, Google Authenticator can be used to connect to the cluster via SSH and cmgui. Google Authenticator will not work with the user portal or Bright View.


Getting the RPMs:


Either Fedora's EPEL repository should be enabled, or the RPMs from EPEL should be downloaded manually. The EPEL repository is enabled by default in Bright.


The pre-packages PAM module can be downloaded from :


Installing the PAM module:

# yum install google-authenticator
 or (one line):

# zypper in


Configuring the SSH server:

In /etc/ssh/sshd_config ensure the settings match the following:

PasswordAuthentication yes 
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

UsePAM yes

Configure PAM:
In the PAM file /etc/pam.d/system-auth, a new line will need to be added at the top: 

auth required
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth sufficient use_first_pass
auth required


On RHEL7, a new line needs to be added to the bottom of /etc/pam.d/sshd for SSH logins

session optional force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional prepare

auth required

Configure the authenticator for a given account:

[root@test ~]# google-authenticator|0&cht=qr&chl=otpauth://tot/root@kerndev%3Fsecret%3DE6DCBKDAYAIKOYXB
Your new secret key is: E6DCBKDAYAIKOYXB
Your verification code is 070897
Your emergency scratch codes are:







Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n


If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y


Following the link in the text above displays a QR code image in the web browser.


This image can be scanned with a smartphone or tablet camera with the Google Authenticator app.
The next time the system is logged into, a Google Authenticator verification code will be required:

root@darkstar:~# ssh root@kerndev
Verification code:


Last login: Tue May 27 12:28:54 2014 from

Welcome to Bright Cluster Manager 7.0

When connecting to CMGUI an extra dialog window will pop-up prompting for the Google Authenticator verification code:
If using SELINUX, the following line in the PAM configuration file should be used (one line):

auth   required nullok secret=/home/${USER}/.ssh/.google_authenticator

nullok                  tells PAM to accept null if the user does not have the Google Authenticator configured. In other words, users without dual-factor configured can still log in.
secret= ...              gives PAM access to the needed key file, even with SELinux installed. 

After that,  the file
.google_authenticator must be moved to the .ssh folder of the user. The folder may need to be created. It is best to do this as the user.
$ mv /home/<username>/.google_authenticator /home/<username>/.ssh/.google_authenticator
The administrator should then start the daemons:
# service sshd restart
# service cmd restart 
Additional tip:
Encrypting the storage of the Android device is recommended, because the secret key of google authenticator is kept on the device. Encryption of android storage comes with standard Android.

Categories for this entry

Tags: -

Related entries:

You cannot comment on this entry