login_googleauth - Google's two-factor authentication for OpenBSD

Introduction


Google authenticator implements the HMAC based one-time password (HOTP) algorithm specified in RFC 4226 and the time-based one-time password (TOTP) algorithm specified in RFC 6238.


Google subsequently released a PAM (pluggable authentication ...) authentication module that works with Google Authenticator. As OpenBSD does not make use of PAM it was initially bereft of Google Authentication capability. This was the Raison d'ĂȘtre for this project.


Support for Google Authenticator on OpenBSD relies on two small programs


login_googleauth
 provides Google Authenticator login capability to OpenBSD via the bsd_auth authentication scheme. It is primarily derived from the Google Authenticator PAM plugin but functions quite differently and will likely diverge over time.

Installation


Both login_googleauth and googleauth have dependencies on various OpenBSD system sources. You'll need those available to get them compiled.


You can fetch the required source as outlined below (it will probably take a while). I use -stable for this as I usually don't like having to workout problems that might come up tracking-current.


OpenBSD is current at 5.6 as of writing this, so update this as necessary. Also note that the anonymous CVS server in this example is located in Australia. You can check for a server in your neighbourhood here

# cd /usr
# export CVSROOT=anoncvs@anoncvs.bom.nom.co:/cvs
# cvs -qd $CVSROOT checkout get -rOPENBSD_5_6 -P src


After fetching OpenBSD system source move on to fetching the Google Authentication sources fetch the source for login_googleauth. The public source repository is located at Github

# git clone git://github.com/KrugerHeavyIndustries/login_googleauth.git login_googleauth


You can then build and install as such

# cd login_googleauth
# make
# make install 


Next fetch the source for googleauth.

# git clone git://github.com/KrugerHeavyIndustries/googleauth.git googleauth


Build and install googleauth as such:

# cd googleauth
# make 
# make install

Using


... Still plenty of work to do here but some quickstart notes are below.

Setup User


The googleauth command below sets up a user with a TOTP key and 5 scratchcodes.

googleauth -t username

NOTE: When building from source code you will need to create the /var/db/googleauth directory. In production this directory will be created by the package installer scripts.

Enable with SSH


Edit /etc/login.conf

auth-defaults:auth=googleauth,passwd,skey:# cap_mkdb /etc/login.conf

History


Minor bugs fixes and improvements; February 1st 2015


First released; October 15th 2012

Related Links


Last updated; 1st February 2015