ThinLinc and One-Time-Password (OTP) | ThinLinc by Cendio

ThinLinc and One-Time-Password (OTP)

This tutorial will go through the steps to enable two factor authentication, OTP and user password, for logins to your ThinLinc system. ThinLinc uses the underlying Linux authentication mechanism PAM to authenticate a user. This means that this tutorial is general and also works with a Linux system without ThinLinc installed.

ThinLinc requires that an OTP can be used twice due to how ThinLinc client first connects and authenticates to the master server and then reconnects and authenticates to the agent server.

For this tutorial we use Fedora 22 and Google Authenticator OTP PAM module.

1. First you need to install google-authenticator

$ sudo dnf install google-authenticator

2. Configure sshd to allow challenge response authentication. Edit the file /etc/ssh/sshd_config and make sure that  ChallengeResponseAuthentication is set to yes. Do not forget to restart sshd service if you change the configuration.

...
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
...

3. You also need to configure PAM to use the new google-authentictor module. Edit the file /etc/pam.d/thinlinc and add the following line auth required pam_google_authenticator.so to the auth step. Be aware that order is important and google authenticator step should be placed after the password step. The option nullok allows login for a user which hasn't enabled OPT yet.

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       required     pam_google_authenticator.so nullok
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
...

4. Install Google Authenticator on your android device (there are other alternative OTP clients for iOS).

5. To enable OTP for a user, that user needs to run the program google-authenticator on the server.

 Do you want authentication tokens to be time-based (y/n) y
 Do you want me to update your
 "/home/<username>/.google_authenticator" file (y/n) y

 Do you want to disallow multiple uses of the same
 authentication token? This restricts you to one login about
 every 30s, but it increases your chances to notice or even
 prevent man-in-the-middle attacks (y/n) n

 By default, tokens are good for 30 seconds and in order to
 compensate for possible time-skew between the client and the
 server, we allow an extra token before and after the current
 time. If you experience problems with poor time
 synchronization, you can increase the window from its default
 size of 1:30min to about 4min. Do you want to do so (y/n) y

 If the computer that you are logging into isn't hardened
 against brute-force login attempts, you can enable
 rate-limiting for the authentication module. By default, this
 limits attackers to no more than 3 login attempts every
 30s. Do you want to enable rate-limiting (y/n) y

6. During this process a QR code is shown in the console. Use Google Authenticator application to scan this to import the master key for the user.