Modify

Opened 7 years ago

Closed 4 years ago

Last modified 3 years ago

#9138 closed enhancement (fixed)

Request Google-authenticator PAM module for OpenWRT

Reported by: cydergoth@… Owned by: tripolar
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

Request Google-authenticator PAM module for OpenWRT which would allow use of the Google Android app as a 2 factor authenticator for SSH/other auth on an OpenWRT enabled gateway.

Attachments (5)

google-authenticator_qrencode.patch (5.1 KB) - added by DkSoul 5 years ago.
Patch to add both Google Authenticator and QR Encode
sshd_pam.patch (12.0 KB) - added by DkSoul 5 years ago.
Enhanced/Hacked versions of openssh-server and libpam to use with Google Authenticator
sshd_config.patch (1.2 KB) - added by DkSoul 5 years ago.
Patch to modify openssh-server configuration to enable Google Authentication
openssh-pam.patch (10.3 KB) - added by DkSoul 5 years ago.
OpenSSH with PAM
libpam-basefiles.patch (8.8 KB) - added by DkSoul 5 years ago.
libpam base files (common to/used by most services)

Download all attachments as: .zip

Change History (25)

comment:1 Changed 6 years ago by anonymous

I think this is a great idea.
Looks like it requires libpam which I think is already available for openwrt.
Even without integrated support, it's probably still possible to set this up manually.

comment:2 Changed 6 years ago by nbd

  • Resolution set to wontfix
  • Status changed from new to closed

comment:3 Changed 5 years ago by zenczykowski@…

Is there any particular reason this was closed wontfix?
Sounds useful to me...

(Ok, I have no idea how to avoid this SpamBayes thing but maybe If I write something here it will not trigger.
Perhaps if I were to post in the opening phrases of some Shakespearean Ballad it would let me in?
Hmm, adding that last sentence appears to have been counterproductive, still hovering at around sixty-five percent...
But that last sentence helped quite a bit. Okay, I'm going to officially call the spam prevention system useless and pointless and a nuisance. You'd be better of either just not accepting comments from not logged in folks, or using some other person-verification schema. This is just super annoying.)

comment:4 Changed 5 years ago by jow

Because wo do not add packages based on user requests.
If you can supply a working patch feel free to reopen this ticket.

Changed 5 years ago by DkSoul

Patch to add both Google Authenticator and QR Encode

Changed 5 years ago by DkSoul

Enhanced/Hacked versions of openssh-server and libpam to use with Google Authenticator

Changed 5 years ago by DkSoul

Patch to modify openssh-server configuration to enable Google Authentication

comment:5 Changed 5 years ago by anonymous

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Added the necessary patches to add Google Authenticator to openssh-server

comment:6 Changed 5 years ago by DkSoul

Tested with a Buffalo WZR-HP-G300NH (ar71xx) running OpenWrt 10.03.1.


Compiled packages:

openssh-server_5.8p2-2_ar71xx.ipk http://bit.ly/PQhNoD
libpam_1.1.3-1_ar71xx.ipk http://bit.ly/PJbMrU
libqrencode_3.3.1-1_ar71xx.ipk http://bit.ly/Qf2APK
libpam-google-authenticator_1.0-1_ar71xx.ipk http://bit.ly/No2Qfe

comment:7 Changed 5 years ago by tripolar

if you'd like to get this added, add a new package called sshd-google - then i will add the patch for openssh. Enabling google authentication and pam by default is no good idea. - you would have to do the same to get this acceped for pam ...

comment:8 Changed 5 years ago by tripolar

openssh-server-google would be a better name

comment:9 Changed 5 years ago by tripolar

  • Owner changed from developers to tripolar
  • Status changed from reopened to assigned

Changed 5 years ago by DkSoul

OpenSSH with PAM

Changed 5 years ago by DkSoul

libpam base files (common to/used by most services)

comment:10 Changed 5 years ago by DkSoul

Added patch for openssh-server-pam (I believe this is a better name since it can be used with any PAM module, not only Google Authenticator) and libpam-basefiles that contain the basic configuration files used by PAM.

comment:11 Changed 5 years ago by tripolar

the patch for openssh looks good but please don't add it as a new package. Just add the openssh-server-pam package to the Makefile of openssh. And please update your checkout as openwrt is allready using 6.1p1.

comment:12 Changed 5 years ago by DkSoul

The openssh-server-pam requires changes do the configure flags and a new patch to enable pthreads. I don't know how to merge this into the old package while keeping the already existing settings untouched.

comment:13 Changed 5 years ago by tripolar

for the configure stuff you can look at the ntpd Makefile.
i dont think that auth-pam.c is compiled when openssh is compiled with "--without-pam" - so this shouldn't be a problem.

comment:14 follow-up: Changed 5 years ago by DkSoul

I'm having a problem when trying to upload the patch file:

OSError: [Errno 13] Permission denied: '/var/www/openwrt/dev.openwrt.org/trac/attachments/ticket/9138/openssh-server-pam.patch'

I made it available here: http://bit.ly/O8bBJz

comment:15 in reply to: ↑ 14 Changed 5 years ago by Richard Gerrits <openwrt@…>

Replying to DkSoul:

I made it available here: http://bit.ly/O8bBJz

I tried building openssh-server-pam using that patch against r34318, but the resulting package didn't have PAM enabled.

The cause is that the same PKG_BUILD_DIR was used for both variants.

Also, openssh-server-pam was missing the dependency libpthread.

Finally, openssh-moduli requires openssh-server. This would conflict if you need openssh-moduli and openssh-server-pam.
So I added package openssh-moduli-pam with requirement openssh-server-pam.

My patch is available here: http://bit.ly/Sg3Emv

comment:16 Changed 5 years ago by Bean

I don't suppose you intelligent fellows might help to integrate this with the use of a Yubikey? Especially since Google is looking to start using them in the future as well.

comment:17 Changed 4 years ago by anonymous

So why isnt this in the trunk?

comment:18 Changed 4 years ago by tripolar

  • Resolution set to fixed
  • Status changed from assigned to closed

commited in r38489 r38490 r38491 r38491 r38493 r38494, thanks

comment:19 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

comment:20 Changed 3 years ago by anonymous

has this been implemented? Is there any documentation on how to configure Google Authentication with OpenWRT?
thanks

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.