- Assuming xcode CLI tools already installed. If not, install here
xcode-select --install
- Assuming Homebrew. If not, install here
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
- Install autoconf if not already
brew install autoconf automake libtool
- Download the google 2-factor source
# prepare an empty dir e.g. "src"
mkdir ./src
cd ./src
git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam
- Build and setup
./bootstrap.sh
./configure
make
sudo make install
# google how to "How to Disable System Integrity Protection", then:
sudo cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib/pam
sudo chmod 0444 /usr/lib/pam/pam_google_authenticator.so
# to have a qrcode created from the Secret returned by goo auth. Not really sure if this needed.
brew install qrencode
- Run authenicator setup. without needing to answer the setup Questions. Also create the qr.png
# -f overwrite "~/.google_authenticator" file (y/n) y
# -d quiet
# -t time-based (TOTP)
# -w 3 = window_size of 90 seconds (17 ~= 240 seconds)
# -r 1 = N = Rate Limit Limit logins to N per every M seconds
# -R 30 = M = Rate Time Limit logins to N per every M seconds
qrencode -s 10 -o qr.png \
./google-authenticator -t -r 1 -R 30 -f -w 3
- Now scan the qr.png with google authenticator mobile client (or Authy.com client)
- Delete the qr.png
rm qr.png
- Next, configure the ssh server
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
sudo cp /etc/sshd_config /etc/sshd_config.bak
sudo vi /etc/pam.d/sshd
#uncomment or add this line
auth required pam_google_authenticator.so
sudo vi /etc/sshd_config
#uncomment or add this line, to set to yes:
ChallengeResponseAuthentication yes
- Restart ssh daemon (the SSH listener)
sudo launchctl stop com.openssh.sshd
#verify
sudo launchctl list | grep sshd
