Utilizing Google Authenticator for BIG-IP Shell Access
Most of us have been using hardware or software token to prove identity and to provide Two-Factor Authentication, either commercial and free. Google Authenticator is the first choice for mobile 2FA, because it's free and it runs on Smartphone (iOS & Android) , BlackBerry Socialphone and even on tablet. Amazon Web Services, DropBox and LastPass began to support Google Authenticator, and of course Linux/Unix SSH host. Since it works on SSH host, why can't it work on F5 BIG-IP TMOS as well? This article describes the steps to enable Google Authenticator on BIG-IP.
Single box setup
- Download the Google Authenticator RPM package here.
MD5: 689ce0a164ae7fb67727f63a937febcc - Extract RPM package using 7zip
- Upload lib & usr directory into /root using SFTP or SCP.
- Configure NTP & DNS settings on BIG-IP
- Configure directories and move files from RPM package
- # mkdir -p /shared/ga/{lib/security,usr/bin}
- # mv /root/lib/security/pam_google_authenticator.so /shared/ga/lib/security/pam_google_authenticator.so
- # ln -sf /shared/ga/lib/security/pam_google_authenticator.so /lib/security
- # mv /root/usr/bin/google-authenticator /shared/ga/usr/bin/google-authenticator
- # mount -o remount,rw /usr
- # ln -sf /shared/ga/usr/bin/google-authenticator /usr/local/bin
- # mount -o remount,ro /usr
- Run google-authenticator to generate secret key
- # google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@dimension6 %3Fsecret%3DSY6SWGJ2LJQUUBWB
Your new secret key is: SY6SWGJ2LJQUUBWB
Your verification code is 955354
Your emergency scratch codes are:
80482471
57702466
32365828
71778906
79701606
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
- # google-authenticator
- Let's see what's inside .google_authenticator file
- # cat .google_authenticator
SY6SWGJ2LJQUUBWB
" RATE_LIMIT 3 30
" DISALLOW_REUSE
" TOTP_AUTH
80482471
57702466
32365828
71778906
79701606
- # cat .google_authenticator
- Both of secret key which highlighted bold are same
- # mv /root/.google_authenticator /shared/ga/.google_authenticator
# ln -sf /shared/ga/.google_authenticator /root
- # mv /root/.google_authenticator /shared/ga/.google_authenticator
- Modify /etc/pam.d/sshd
- # head -4 /etc/pam.d/sshd
#%PAM-1.0
auth required pam_google_authenticator.so
auth required pam_audit.so --force-early-summary
auth include system-auth
Restart sshd service
# service sshd restart
And copy /etc/pam.d/sshd to /shared/ga/
# cp /etc/pam.d/sshd /shared/ga
- # head -4 /etc/pam.d/sshd
Booting to another partition and enable GA
When booting into another partition, /shared/ga will still available, just redo the steps with
# ln -sf /shared/ga/lib/security/pam_google_authenticator.so /lib/security
# mount -o remount,rw /usr
# ln -sf /shared/ga/usr/bin/google-authenticator /usr/local/bin
# mount -o remount,ro /usr
# ln -sf /shared/ga/.google_authenticator /root
# cp /shared/ga/sshd /etc/pam.d/sshd
# service sshd restart
The most important thing is to reuse the secret key when authenticated
High Availability
For HA pair, secure copy (SCP) /shared/ga into destination peer, and redo all the steps above.
Conclusion
Google Authenticator will provide secure access to F5 BIG-IP, and will block SSH brute force.
Happy authentication!
Budi Ang
(Note: there are two other articles on DevCentral covering use cases for Google Authenticator, authenticating applications through LTM and through APM.)
- hooleylistCirrostratusThis wouldn't be officially supported by F5, but it's a great custom config.