login_googleauth - Google's two-factor authentication for OpenBSD
Google authenticator implements the HMAC based one-time password (HOTP) algorithm specified in RFC 4226 and the time-based one-time password (TOTP) algorithm specified in RFC 6238.
Google subsequently released a PAM (pluggable authentication ...) authentication module that works with Google Authenticator. As OpenBSD does not make use of PAM it was initially bereft of Google Authentication capability. This was the Raison d'être for this project.
Support for Google Authenticator on OpenBSD relies on two small programs
- login_googleauth - which does the actual authentication of user logins when a user is configured to use Google Authentication
- googleauth - is a small utility that allows an administrator to configure a user for Google Authentication on the system
login_googleauth provides Google Authenticator login capability to OpenBSD via the bsd_auth authentication scheme. It is primarily derived from the Google Authenticator PAM plugin but functions quite differently and will likely diverge over time.
Both login_googleauth and googleauth have dependencies on various OpenBSD system sources. You'll need those available to get them compiled.
You can fetch the required source as outlined below (it will probably take a while). I use -stable for this as I usually don't like having to workout problems that might come up tracking-current.
OpenBSD is current at 5.6 as of writing this, so update this as necessary. Also note that the anonymous CVS server in this example is located in Australia. You can check for a server in your neighbourhood here
# cd /usr # export CVSROOTfirstname.lastname@example.org:/cvs # cvs -qd $CVSROOT checkout get -rOPENBSD_5_6 -P src
After fetching OpenBSD system source move on to fetching the Google Authentication sources fetch the source for login_googleauth. The public source repository is located at Github
# git clone git://github.com/KrugerHeavyIndustries/login_googleauth.git login_googleauth
# cd login_googleauth # make # make install
# git clone git://github.com/KrugerHeavyIndustries/googleauth.git googleauth
# cd googleauth # make # make install
... Still plenty of work to do here but some quickstart notes are below.
The googleauth command below sets up a user with a TOTP key and 5 scratchcodes.
googleauth -t username
NOTE: When building from source code you will need to create the /var/db/googleauth directory. In production this directory will be created by the package installer scripts.
Enable with SSH
auth-defaults:auth=googleauth,passwd,skey:# cap_mkdb /etc/login.conf
Minor bugs fixes and improvements; February 1st 2015
First released; October 15th 2012