I've used Google Authenticator for a number of things now. Once you have the pam module integrated into a freeradius config the sky's the limit with what you can use it for. I've used it for authenticating pulse ssl vpn clients combined with an AD auth challenge and it works great.
On Thu, May 21, 2015 at 5:46 PM, N.J. Thomas <n...@ayvali.org> wrote: > * Ray Van Dolson <rvandol...@esri.com> [2015-05-20 22:55:41-0700]: > > Yubikey or Yubikey+AuthLite are nice solutions for machine logins. > > What other approaches are some of you using? > > Google Authenticator works well for this task: > > https://github.com/google/google-authenticator/ > > Some nice things about it: > > - there are iPhone/Android apps for it > > - there is a port on FreeBSD to build a PAM module out of the box > (security/pam_google_authenticator); there are similar packages > for Linux > > - in addition to TOTP (time based one time passwords) it also gives > you some single use password that you print and put in your wallet > or wherever to use if your phone is not available > > - it works with LastPass and other password managers as well > > - apart from the smartphone app, there is no physical token to carry > around (a la RSA SecureID) > > It works as expected and is great if you're looking to implement > two-factor authentication on a budge. It only took me a few minutes to > get my FreeBSD servers running it (basically building the port and > adding a single line to /etc/pam.d/sshd) > > Once everything is installed, you can ssh in using a key, then it's > bypassed. But if you ssh in and a password is needed to authenticate, it > will ask for the verification code on top of that: > > $ ssh example.org > Password for u...@example.org: [enter password here] > Verification code: [enter TOTP here] > Last login: Fri Apr 3 02:12:48 2015 from example.edu > FreeBSD 10.1-RELEASE-p6 (GENERIC) #0: Tue Feb 24 19:00:21 UTC 2015 > > Welcome to FreeBSD! > [...] > > The only difference from a normal ssh session is the addition of that > verification code prompt. > > hth, > Thomas > _______________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- -- - Iain Morris iain.t.mor...@gmail.com
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
