ThinLinc and One-Time-Password (OTP)
« Updated 2020-05-09 »
This tutorial will go through the steps to enable two-factor authentication, OTP and user password, for logins to your ThinLinc system. ThinLinc uses the underlying Linux authentication mechanism PAM to authenticate a user. This means that this tutorial is general and also works with a Linux system without ThinLinc installed.
ThinLinc requires that an OTP can be used twice due to how ThinLinc client first connects and authenticates to the master server and then reconnects and authenticates to the agent server.
For this tutorial we use Fedora 31 and Google Authenticator OTP PAM module.
1. First you need to install google-authenticator
$ sudo dnf install google-authenticator
2. Configure sshd to allow challenge response authentication. Edit the file /etc/ssh/sshd_config and make sure that ChallengeResponseAuthentication is set to yes. Do not forget to restart sshd service if you change the configuration.
... # Change to no to disable s/key passwords ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no ...
3. You also need to configure PAM to use the new google-authentictor module. Edit the file /etc/pam.d/thinlinc and add the following line auth required pam_google_authenticator.so to the auth step. Be aware that order is important and google authenticator step should be placed after the password step. The option nullok allows login for a user which hasn't enabled OPT yet (nullok is only recommended for testing purposes).
#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth required pam_google_authenticator.so nullok auth include postlogin account required pam_sepermit.so account required pam_nologin.so ...
4. Install Google Authenticator on your mobile device (the app is available for both Android and iOS).
5. To enable OTP for a user, that user needs to run the program google-authenticator on the server.
Do you want authentication tokens to be time-based (y/n) y ... Enter code from app (-1 to skip): <ENTER CODE FROM APP> Code confirmed Your emergency scratch codes are: ... Do you want me to update your "/home/<username>/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) n By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y
6. During this process a QR code is shown in the console. Use Google Authenticator application to scan this to import the master key for the user.
7. Done, the server configuration should now be complete.
8. When attempting a login, you should now be prompted for a verification code in addition to username and password. This code is found in the Google Authenticator app on your mobile device.