ThinLinc and One-Time-Password (OTP)
This tutorial will go through the steps to enable two factor authentication, OTP and user password, for logins to your ThinLinc system. ThinLinc uses the underlying Linux authentication mechanism PAM to authenticate a user. This means that this tutorial is general and also works with a Linux system without ThinLinc installed.
ThinLinc requires that an OTP can be used twice due to how ThinLinc client first connects and authenticates to the master server and then reconnects and authenticates to the agent server.
For this tutorial we use Fedora 22 and Google Authenticator OTP PAM module.
1. First you need to install google-authenticator
$ sudo dnf install google-authenticator
2. Configure sshd to allow challenge response authentication. Edit the file /etc/ssh/sshd_config and make sure that ChallengeResponseAuthentication is set to yes. Do not forget to restart sshd service if you change the configuration.
... # Change to no to disable s/key passwords ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no ...
3. You also need to configure PAM to use the new google-authentictor module. Edit the file /etc/pam.d/thinlinc and add the following line auth required pam_google_authenticator.so to the auth step. Be aware that order is important and google authenticator step should be placed after the password step. The option nullok allows login for a user which hasn't enabled OPT yet.
#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth required pam_google_authenticator.so nullok auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare ...
4. Install Google Authenticator on your android device (there are other alternative OTP clients for iOS).
5. To enable OTP for a user, that user needs to run the program google-authenticator on the server.
Do you want authentication tokens to be time-based (y/n) y Do you want me to update your "/home/<username>/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) n By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
6. During this process a QR code is shown in the console. Use Google Authenticator application to scan this to import the master key for the user.