Last active
March 2, 2017 06:43
-
-
Save centminmod/5ee5476c3a86e1fc96a5b297e021acd4 to your computer and use it in GitHub Desktop.
2FA for centminmod
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* https://github.com/google/google-authenticator/tree/master/libpam > https://github.com/google/google-authenticator-libpam | |
####### start of install ####### | |
yum -y -q install autoconf automake bind-utils gcc libtool make nmap-netcat ntp pam-devel unzip wget pam pam-devel | |
cd /svr-setup | |
git clone https://github.com/google/google-authenticator-libpam | |
cd google-authenticator-libpam | |
./bootstrap.sh | |
./configure --prefix=/usr | |
make -j2 | |
make install | |
ls -lah /usr/lib/security | |
cd /usr/lib64/security/ | |
ln -s /usr/lib/security/pam_google_authenticator.so pam_google_authenticator.so | |
ln -s /usr/lib/security/pam_google_authenticator.la pam_google_authenticator.la | |
ls -lah /usr/lib64/security/ | grep google | |
cp /etc/pam.d/sshd{,.bak} | |
sed -i "2iauth required pam_google_authenticator.so nullok" /etc/pam.d/sshd | |
sed -i 's|^ChallengeResponseAuthentication .*|ChallengeResponseAuthentication yes|' /etc/ssh/sshd_config | |
service sshd restart | |
touch /etc/security/2fa-acl.conf | |
echo "+ : ALL : 192.168.1.0/24" >> /etc/security/2fa-acl.conf | |
echo "+ : ALL : LOCAL" >> /etc/security/2fa-acl.conf | |
echo "- : ALL : ALL" >> /etc/security/2fa-acl.conf | |
sed -i "2iauth [success=1 default=ignore] pam_access.so accessfile=/etc/security/2fa-acl.conf" /etc/pam.d/sshd | |
google-authenticator --time-based --disallow-reuse --window-size=17 --rate-limit=3 --rate-time=30 --force | |
secretkey=$(head -n1 $HOME/.google_authenticator) | |
backupcodes=$(tail -5 $HOME/.google_authenticator) | |
echo | |
echo "Your new secret key is: $secretkey" | |
echo "Your emergency scratch codes are:" | |
echo "$backupcodes" | |
####### end of install ####### | |
awk '/server / {print $2}' /etc/ntp.conf | grep ntp.org | sort -r | |
3.centos.pool.ntp.org | |
2.centos.pool.ntp.org | |
1.centos.pool.ntp.org | |
0.centos.pool.ntp.org | |
echo | nc -u -w1 0.centos.pool.ntp.org 53 >/dev/null 2>&1 ;echo $? | |
if [ -f /etc/ntp.conf ]; then | |
if [[ -z "$(grep 'logfile' /etc/ntp.conf)" ]]; then | |
echo "logfile /var/log/ntpd.log" >> /etc/ntp.conf | |
ls -lahrt /var/log | grep 'ntpd.log' | |
fi | |
echo "current ntp servers" | |
NTPSERVERS=$(awk '/server / {print $2}' /etc/ntp.conf | grep ntp.org | sort -r) | |
for s in $NTPSERVERS; do | |
echo -ne "\n$s test connectivity: " | |
if [[ "$(echo | nc -u -w1 $s 53 >/dev/null 2>&1 ;echo $?)" = '0' ]]; then | |
echo " ok" | |
else | |
echo " error" | |
fi | |
ntpdate -q $s | tail -1 | |
if [[ -f /etc/ntp/step-tickers && -z "$(grep $s /etc/ntp/step-tickers )" ]]; then | |
echo "$s" >> /etc/ntp/step-tickers | |
fi | |
done | |
if [ -f /etc/ntp/step-tickers ]; then | |
echo -e "\nsetup /etc/ntp/step-tickers server list\n" | |
cat /etc/ntp/step-tickers | |
fi | |
service ntpd restart >/dev/null 2>&1 | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment