Flings
Apps and tools built by our engineers that are intended to be played with and explored.

ESXi Google Authenticator

ESXi Google Authenticator

Summary

Google Authenticator is a project that provides two-factor authentication by using both a PAM (Pluggable Authentication Module) module and a mobile application for generating one-time passcodes. In ESXi Google Authenticator, we modified the source code of Google-Authenticator to enable two-step authentication on ESXi (5.0, 5.1).

Features

  • Two-Factor Authentication for ESXi Shell and SSH access
  • Supports multiple administrators login on esx5.1, and single admin (root) on esx5.0
  • Support for 30-second TOTP codes
  • Support for emergency scratch codes
  • Protection against replay attacks

System Requirements

You must have ESXi 5.0 and higher.

Instructions

  1. Download the ESXi Google Authenticator VIB. You may also download the source code (OSS) and ReadMe files.
  2. Upload the ESXi Google Authenticator VIB to the ESXi host using either SCP or datastore browser.
  3. Install the ESXi Google Authenticator VIB using ESXCLI, here is the command to do so:
    esxcli software vib install -v --no-sig-check -f /path/to/the/vib
  4. Download the Google Authenticator app for your mobile phone.(Android/iOS/Blackberry is supported. Please refer to the instructions listed here https://code.google.com/p/google-authenticator/). Note: Ensure your ESXi host is synced to a valid time source
  5. If you wish to configure two-step auth for 'user', run 'google-authenticator' as 'user' on ESXi and answer 'yes' for all the prompts (Note that only 'root' is supported on ESXi 5.0, since there is actually only one administrator). A URL, secret key, and emergency code will be generated.
  6. You can either manually add your ESXi host into the mobile app by entering the secret key, or copy and paste the URL into a web browser, which provides a QRC code that the mobile app can just read from. A code will be generated on your mobile app, which will automatically change every 30s.
  7. Configure two-step login for your service (Currently we support sshd and shell. VI-client is not supported yet, in this version):
    a) Add the following line to /etc/ssh/sshd_config:
    ChallengeResponseAuthentication yes

    b) Make sure /etc/pam.d/sshd or /etc/pam.d/login includes the following as the first line entry:
    auth required pam_google_authenticator.so
    If you want esx_google-authenticator to support per-individual users(in this case, there might be users who have not created his secret key, yet. But they are allowed to skip the verification code step when log in), you can pass the "nullok" option to the module:
    auth required pam_google_authenticator.so nullok
    c)Run the following command to add the above to corresponding file:
    sed -i -e '3iauth required pam_google_authenticator.so\' /etc/pam.d/sshd
    sed -i -e '3iauth required pam_google_authenticator.so\' /etc/pam.d/login
    d) To make the above configuration take effect immediately, run "/etc/init.d/SSH restart" to reload the conf.ESXi will not keep the changes to /etc/pam.d/sshd or /etc/pam.d/login. To ensure the above configuration persists after a reboot, you will need to add the sed command to /etc/rc.local.d/local.sh which will automatically add the entries upon bootup.
    e) If you have configured two-step login for login/sshd, then each time you log into your system through either, you will now be prompted for your TOTP code (time-based one-time-password) before your normal ESXi account password.

For more on the usage of this PAM module, please refer to: README

Video

Change Log

Engineers

Hongkun Xi

Research & Development

Jian Ouyang

Research & Development
Add Comment

3 thoughts on “ESXi Google Authenticator

  1. Hongkun Xi

    Please note the following:

    1. This pam module supports sshd and shell(which is shown when pressing ‘ALT+F1′) by now. For sshd, the pam conf file is /etc/pam.d/sshd, and for shell, is /etc/pam.d/login. Their pam module configure files are independent, You can configure them separately.

    2. If you allow users who have not created his secret key to log in, ‘nullok’ option is needed in sshd/login pam configuration. You need specify it in your sed command like

    sed -i -e ’3iauth required pam_google_authenticator.so nullok\’ /etc/pam.d/sshd

    If you forgot to specify this option in your sed command, run ‘sed -i ’3d’ /etc/pam.d/sshd’ or ‘sed -i ’3d’ /etc/pam.d/login’ to delete the line added, and specify it again.

    Do remember that if you want to ensure the configuration persists after a reboot, you will need to add the sed command to /etc/rc.local.d/local.sh

    3. If you find that your TOTP code never works, this is mostly because the clock on your server is different from the one on your mobile device. You can either sync their time, or you can teach it about the amount of time skew that you are experiencing, by trying to log it three times in a row. (Input 3 distinct verification code, which is generated every 30s. The third time your attempt will succeed).

    In later login attempts, you will pass the verification even if your clock is different from your mobile device, because server has been taught the time skew.

    Welcome to feedback to us if you find any questions/problems when using this tool.

    Thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>