Forum Discussion

fx_91779's avatar
fx_91779
Icon for Nimbostratus rankNimbostratus
Sep 29, 2012

Enable Google Authenticator on BIG-IP 11.2.1 VE

Hi,

 

 

Since BIG-IP ssh didn't have 2FA, I try to install Google Authenticator, and it works on VE! :)

 

 

Steps below:

 

* download http://dl.fedoraproject.org/pub/epel/6/i386/google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.i686.rpm

 

 

* extract using 7zip, using rpm2cpio and cpio didn't work well

 

 

* upload { lib, usr } to /root using sftp

 

 

mv /root/lib/security/pam_google_authenticator.so /lib/security

 

mount -o remount,rw /usr

 

move /root/usr/bin/google-authenticator to /usr/local/bin

 

chmod 755 /usr/local/bin/google-authenticator

 

mount -o remount,ro /usr

 

 

vi /etc/pam.d/sshd

 

 

put auth required pam_google_authenticator.so after %PAM1.0

 

 

[root@dimension6:Active:Standalone] config head -4 /etc/pam.d/sshd

 

%PAM-1.0

 

auth required pam_google_authenticator.so

 

auth required pam_audit.so --force-early-summary

 

auth include system-auth

 

 

restart sshd

 

service sshd restart

 

and viola

 

run google-authenticator

 

[root@dimension6:Active:Standalone] ~ google-authenticator

 

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@dimension6.localhost.localdomain%3Fsecret%3DA27Q2WUPK4ZPBZ54

 

Your new secret key is: A27Q2WUPK4ZPBZ54

 

Your verification code is 012714

 

Your emergency scratch codes are:

 

72616923

 

36548529

 

78911086

 

15203838

 

16958039

 

 

Do you want me to update your "~/.google_authenticator" file (y/n) y

 

 

Do you want to disallow multiple uses of the same authentication

 

token? This restricts you to one login about every 30s, but it increases

 

your chances to notice or even prevent man-in-the-middle attacks (y/n) y

 

 

By default, tokens are good for 30 seconds and in order to compensate for

 

possible time-skew between the client and the server, we allow an extra

 

token before and after the current time. If you experience problems with poor

 

time synchronization, you can increase the window from its default

 

size of 1:30min to about 4min. Do you want to do so (y/n) n

 

 

If the computer that you are logging into isn't hardened against brute-force

 

login attempts, you can enable rate-limiting for the authentication module.

 

By default, this limits attackers to no more than 3 login attempts every 30s.

 

Do you want to enable rate-limiting (y/n) y

 

 

When login using putty

 

 

login as: root

 

Using keyboard-interactive authentication.

 

Verification code:

 

Using keyboard-interactive authentication.

 

Password:

 

Last login: Sun Sep 30 01:46:10 2012 from 10.1.132.50

 

[root@dimension6:Active:Standalone] config

 

 

and when using public key, google authenticator will not work, because PubkeyAuthentication was enable on /config/ssh/sshd_config

 

 

I haven't tried to install 11.2.1 image into HD1.2, and see 2 step verification works or not

 

I want this feature so bad, I hope the next release will include google-authenticator or another 2FA into BIG-IP, when login from Web GUI & SSH wil add another layer of security

 

Enjoy

 

security

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 01, 2012
    Hi Budi,

     

     

    That's a really cool solution. Thanks for sharing it. It would be great if you wanted to work with the DC guys to document it in an article.

     

     

    Thanks!

     

    Aaron