ESXi Google Authenticator
Google Authenticator is a project that provides two-factor authentication by using both a PAM (Pluggable Authentication Module) module and a mobile application for generating one-time passcodes. In ESXi Google Authenticator, we modified the source code of Google-Authenticator to enable two-step authentication on ESXi (5.0, 5.1).
- Two-Factor Authentication for ESXi Shell and SSH access
- Supports multiple administrators login on esx5.1, and single admin (root) on esx5.0
- Support for 30-second TOTP codes
- Support for emergency scratch codes
- Protection against replay attacks
You must have ESXi 5.0 and higher.
- Download the ESXi Google Authenticator VIB. You may also download the source code (OSS) and ReadMe files.
- Upload the ESXi Google Authenticator VIB to the ESXi host using either SCP or datastore browser.
- Install the ESXi Google Authenticator VIB using ESXCLI, here is the command to do so:
esxcli software vib install -v --no-sig-check -f /path/to/the/vib
- Download the Google Authenticator app for your mobile phone.(Android/iOS/Blackberry is supported. Please refer to the instructions listed here https://code.google.com/p/google-authenticator/). Note: Ensure your ESXi host is synced to a valid time source
- If you wish to configure two-step auth for 'user', run 'google-authenticator' as 'user' on ESXi and answer 'yes' for all the prompts (Note that only 'root' is supported on ESXi 5.0, since there is actually only one administrator). A URL, secret key, and emergency code will be generated.
- You can either manually add your ESXi host into the mobile app by entering the secret key, or copy and paste the URL into a web browser, which provides a QRC code that the mobile app can just read from. A code will be generated on your mobile app, which will automatically change every 30s.
- Configure two-step login for your service (Currently we support sshd and shell. VI-client is not supported yet, in this version):
a) Add the following line to
/etc/ssh/sshd_config: ChallengeResponseAuthentication yes
b) Make sure
/etc/pam.d/loginincludes the following as the first line entry:
auth required pam_google_authenticator.so
If you want esx_google-authenticator to support per-individual users(in this case, there might be users who have not created his secret key, yet. But they are allowed to skip the verification code step when log in), you can pass the "nullok" option to the module:
auth required pam_google_authenticator.so nullok
c)Run the following command to add the above to corresponding file:
sed -i -e '3iauth required pam_google_authenticator.so\' /etc/pam.d/sshd
sed -i -e '3iauth required pam_google_authenticator.so\' /etc/pam.d/login
d) To make the above configuration take effect immediately, run "
/etc/init.d/SSH restart" to reload the
conf.ESXiwill not keep the changes to
/etc/pam.d/login. To ensure the above configuration persists after a reboot, you will need to add the sed command to
/etc/rc.local.d/local.shwhich will automatically add the entries upon bootup.
e) If you have configured two-step login for login/sshd, then each time you log into your system through either, you will now be prompted for your TOTP code (time-based one-time-password) before your normal ESXi account password.
For more on the usage of this PAM module, please refer to: README