google-authenticator-libpam is now available on AIX Toolbox.
https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/google-authenticator/google-authenticator-1.10-1.aix7.1.ppc.rpm
You can use DNF to install this package from AIX Toolbox repository.
Google Authenticator PAM module is two-factor authentication for logging into servers via SSH, OpenVPN, etc… using TOTP/HOTP as second factor.
Setting 2FA on AIX using Google PAM module
1. Setting PAM authentication.
1.1. Install the rpm package google-authenticator-1.10-1.aix7.1.ppc.rpm.
This will install required PAM authentication module
/usr/lib/security/pam_google_authenticator.so
1.2. Enable PAM on AIX for ssh
Add below entries to /etc/pam.conf file.
sshd auth required pam_aix
sshd auth required /usr/lib/security/pam_google_authenticator.so nullok no_increment_hotp
sshd account required pam_aix
sshd password required pam_aix
sshd session required pam_aix
nullok and no_increment_hotp option details are given below in section 2.
1.3. Modify /etc/security/login.cfg
Change STD_ATUH to PAM_AUTH
auth_type = PAM_AUTH
1.4. Edit /etc/ssh/sshd_config to enable PAM ssh
Change the line from "#UsePAM no" to
UsePAM yes
Restart the sshd server
stopsrc -s sshd
startsrc -s sshd
1.5. If one wants to enable PAM debug
Create an empty file named pam_debug in the /etc/pam_debug
Edit the /etc/syslog.conf file to identify a file where it will log the auth syslog messages at the priority level you want.
For example.
*.debug /tmp/ssh_auth.log
Add logging option in /etc/ssh/sshd_config
# Logging
#SyslogFacility AUTH
#LogLevel INFO
LogLevel DEBUG3
Restart the syslogd daemon.
stopsrc -s syslogd
startsrc -s syslogd
Restart the sshd server
stopsrc -s sshd
startsrc -s sshd
2. Setting google authenticator
2.1. Setting up a user
Run the google-authenticator binary to create a new secret key in your home directory. These settings will be stored in ~/.google_authenticator.
You can configure either TOTP or HOTP.
This module uses google Authenticator mobile app to generate OTP using an users secret key.
Users have to manually enter the alphanumeric secret key into the Authenticator app.
Setting up user using TOTP.
bash-5.2$ /opt/freeware/bin/google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: K5JYM36J5YC4AVB73V75C6IEAM
Enter code from app (-1 to skip): -1
Code confirmation skipped
Your emergency scratch codes are:
87884994
77949230
69842842
78561248
81841225
Do you want me to update your "/home/gauthpam/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
bash-5.2$ cat .google_authenticator
K5JYM36J5YC4AVB73V75C6IEAM
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
87884994
77949230
69842842
78561248
81841225
Setting up user using HOTP
bash-5.2$ /opt/freeware/bin/google-authenticator
Do you want authentication tokens to be time-based (y/n) n
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: F4VBHAATUUYAQ4RLKUWNBUTKUA
Your verification code for code 1 is 045012
Your emergency scratch codes are:
73297636
73254032
29101074
54459744
95241931
Do you want me to update your "/home/gauthpam/.google_authenticator" file? (y/n) y
By default, three tokens are valid at any one time. This accounts for
generated-but-not-used tokens and failed login attempts. In order to
decrease the likelihood of synchronization problems, this window can be
increased from its default size of 3 to 17. Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
bash-5.2$ cat .google_authenticator
F4VBHAATUUYAQ4RLKUWNBUTKUA
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" HOTP_COUNTER 1
73297636
73254032
29101074
54459744
95241931
2.2. Enable system logging for google authenticator
Add debug option to the google PAM authenticator module in /etc/pam.conf file.
sshd auth required /usr/lib/security/pam_google_authenticator.so debug
It outputs authentication logging messages to the file specified in /etc/syslog.conf
2.3. Module Options
Google authenticator provides many options for different login setup.
Some of the examples are.
no_increment_hotp - Don't increment the counter for failed HOTP attempts.
Nullok - Allow users to log in without OTP, if they haven't set up OTP yet.
For full options please refer the official githu repo: https://github.com/google/google-authenticator-libpam
NOTE: This testing doesn't cover the Encrypted home directories
References:
1. Enable PAM on AIX for ssh: https://www.ibm.com/support/pages/enable-ssh-aix-use-pam
2. PAM support in OpenSSH with debugging: http://emmanuel.iffly.free.fr/doku.php?id=aix:aix_pam_ssh
Sample login outputs
==================
With correct password and OTP
------------------------------------
$ ssh gauthpam@aixoss2-lp7.pok.stglabs.ibm.com
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) gauthpam's Password:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) Verification code:
20 unsuccessful login attempts since last login.
Last unsuccessful login: Sat Sep 21 08:22:36 CDT 2024 on ssh from 9.61.253.223
Last login: Sat Sep 21 08:07:27 CDT 2024 on ssh from 9.61.253.223
*******************************************************************************
* *
* *
* Welcome to AIX Version 7.2! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
$
Within 30 seconds interval by wrongly entering the OTP with correct password (To verify rate limit)
--------------------------------------------------------------------------------------------------------------------
$ ssh gauthpam@aixoss2-lp7.pok.stglabs.ibm.com
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) gauthpam's Password:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) Verification code:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) gauthpam's Password:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) Verification code:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) gauthpam's Password:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) Verification code:
gauthpam@aixoss2-lp7.pok.stglabs.ibm.com's password:
lPermission denied, please try again.
gauthpam@aixoss2-lp7.pok.stglabs.ibm.com's password:
kldfdPermission denied, please try again.
gauthpam@aixoss2-lp7.pok.stglabs.ibm.com's password:
Received disconnect from 9.47.92.128 port 22:2: Too many authentication failures
Disconnected from 9.47.92.128 port 22
[sangamesh@sangameshs-MacBook-Pro-2: ~]$ ssh gauthpam@aixoss2-lp7.pok.stglabs.ibm.com
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) gauthpam's Password:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) gauthpam's Password:
Verify if other users who have not setup the google-authentication is able to login (nullok option)
------------------------------------------------------------------------------------------------------------------
$ ssh root@aixoss2-lp7.pok.stglabs.ibm.com
(root@aixoss2-lp7.pok.stglabs.ibm.com) root's Password:
Last login: Sat Sep 21 08:17:04 CDT 2024 on ssh from 9.61.253.223
*******************************************************************************
* *
* *
* Welcome to AIX Version 7.2! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
[YOU HAVE NEW MAIL]
(0) root @ aixoss2-lp7: /
Check if HOTP counter doesn't increase after failed login (This is not to lock users)
-----------------------------------------------------------------------------------------------
bash-5.2$ cat .google_authenticator
F4VBHAATUUYAQ4RLKUWNBUTKUA
" RATE_LIMIT 3 30 1726924825 1726924826 1726924827
" WINDOW_SIZE 17
" HOTP_COUNTER 2
73297636
73254032
29101074
54459744
95241931
$ ssh gauthpam@aixoss2-lp7.pok.stglabs.ibm.com
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) gauthpam's Password:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) Verification code:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) gauthpam's Password:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) Verification code:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) gauthpam's Password:
(gauthpam@aixoss2-lp7.pok.stglabs.ibm.com) Verification code:
gauthpam@aixoss2-lp7.pok.stglabs.ibm.com's password:
Permission denied, please try again.
gauthpam@aixoss2-lp7.pok.stglabs.ibm.com's password:
Permission denied, please try again.
gauthpam@aixoss2-lp7.pok.stglabs.ibm.com's password:
Received disconnect from 9.47.92.128 port 22:2: Too many authentication failures
Disconnected from 9.47.92.128 port 22
$ cat .google_authenticator
F4VBHAATUUYAQ4RLKUWNBUTKUA
" RATE_LIMIT 3 30 1726924954 1726924955 1726924956
" WINDOW_SIZE 17
" HOTP_COUNTER 2
73297636
73254032
29101074
54459744
95241931
------------------------------
SANGAMESH
------------------------------