Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Enable Google Authenticator on BIG-IP 11.2.1 VE

Hi,

 

Since BIG-IP ssh didn't have 2FA, I try to install Google Authenticator, and it works on VE! :)

 

Steps below:

* download http://dl.fedoraproject.org/pub/epel/6/i386/google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.i686.rpm

* extract using 7zip, using rpm2cpio and cpio didn't work well

* upload { lib, usr } to /root using sftp

# mv /root/lib/security/pam_google_authenticator.so /lib/security
# mount -o remount,rw /usr
# move /root/usr/bin/google-authenticator to /usr/local/bin
# chmod 755 /usr/local/bin/google-authenticator
# mount -o remount,ro /usr

vi /etc/pam.d/sshd

put auth       required     pam_google_authenticator.so after #%PAM1.0

[root@dimension6:Active:Standalone] config # head -4 /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       required     pam_audit.so --force-early-summary
auth       include      system-auth

restart sshd

# service sshd restart

and viola

run google-authenticator

[root@dimension6:Active:Standalone] ~ # google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@dimension6.localhost.localdomain%3Fsecret%3DA27Q2WUPK4ZPBZ54
Your new secret key is: A27Q2WUPK4ZPBZ54
Your verification code is 012714
Your emergency scratch codes are:
  72616923
  36548529
  78911086
  15203838
  16958039

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
 

When login using putty

 

login as: root
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Password:
Last login: Sun Sep 30 01:46:10 2012 from 10.1.132.50
[root@dimension6:Active:Standalone] config #
 

and when using public key, google authenticator will not work, because PubkeyAuthentication  was enable on /config/ssh/sshd_config

 

I haven't tried to install 11.2.1 image into HD1.2, and see 2 step verification works or not

I want this feature so bad, I hope the next release will include google-authenticator or another 2FA into BIG-IP, when login from Web GUI & SSH wil add another layer of security

Enjoy

1
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Budi,

That's a really cool solution. Thanks for sharing it. It would be great if you wanted to work with the DC guys to document it in an article.

Thanks!
Aaron
0