login_googleauth - Google's two-factor authentication for OpenBSD

Introduction

Google authenticator implements the HMAC based one-time password (HOTP) algorithm specified in RFC 4226 and the time-based one-time password (TOTP) algorithm specified in RFC 6238.

Google subsequently released a PAM (pluggable authentication ...) authentication module that works with Google Authenticator. As OpenBSD does not make use of PAM it was initially bereft of Google Authentication capability. This was the Raison d'ĂȘtre for this project.

Support for Google Authenticator on OpenBSD relies on two small programs

login_googleauth provides Google Authenticator login capability to OpenBSD via the bsd_auth authentication scheme. It is primarily derived from the Google Authenticator PAM plugin but functions quite differently and will likely diverge over time.

Installation

Both login_googleauth and googleauth have dependencies on various OpenBSD system sources. You'll need those available to get them compiled.

You can fetch the required source as outlined below (it will probably take a while). I use -stable for this as I usually don't like having to workout problems that might come up tracking-current.

OpenBSD is current at 5.6 as of writing this, so update this as necessary. Also note that the anonymous CVS server in this example is located in Australia. You can check for a server in your neighbourhood here

# cd /usr
# export CVSROOT=anoncvs@anoncvs.bom.nom.co:/cvs
# cvs -qd $CVSROOT checkout get -rOPENBSD_5_6 -P src

After fetching OpenBSD system source move on to fetching the Google Authentication sources fetch the source for login_googleauth. The public source repository is located at Github

# git clone git://github.com/KrugerHeavyIndustries/login_googleauth.git login_googleauth
You can then build and install as such
# cd login_googleauth
# make
# make install 
Next fetch the source for googleauth.
# git clone git://github.com/KrugerHeavyIndustries/googleauth.git googleauth
Build and install googleauth as such:
# cd googleauth
# make 
# make install

Using

... Still plenty of work to do here but some quickstart notes are below.

Setup User

The googleauth command below sets up a user with a TOTP key and 5 scratchcodes.

googleauth -t username

NOTE: When building from source code you will need to create the /var/db/googleauth directory. In production this directory will be created by the package installer scripts.

Enable with SSH

Edit /etc/login.conf

auth-defaults:auth=googleauth,passwd,skey:# cap_mkdb /etc/login.conf

History

Minor bugs fixes and improvements; February 1st 2015

First released; October 15th 2012

Related Links

Last updated; 12 November 2019