Utilizing Google Authenticator for BIG-IP Shell Access

Most of us have been using hardware or software token to prove identity and to provide Two-Factor Authentication, either commercial and free. Google Authenticator is the first choice for mobile 2FA, because it's free and it runs on Smartphone (iOS & Android) , BlackBerry Socialphone and even on tablet. Amazon Web Services, DropBox and LastPass began to support Google Authenticator, and of course Linux/Unix SSH host. Since it works on SSH host, why  can't it work on F5 BIG-IP TMOS as well? This article describes the steps to enable Google Authenticator on BIG-IP.

Single box setup

  1. Download the Google Authenticator RPM package here.
    MD5: 689ce0a164ae7fb67727f63a937febcc
  2. Extract RPM package using 7zip
  3. Upload lib & usr directory into /root using SFTP or SCP.
  4. Configure NTP & DNS settings on BIG-IP
  5. Configure directories and move files from RPM package
    1. # mkdir -p /shared/ga/{lib/security,usr/bin}
    2. # mv /root/lib/security/pam_google_authenticator.so  /shared/ga/lib/security/pam_google_authenticator.so
    3. # ln -sf /shared/ga/lib/security/pam_google_authenticator.so /lib/security
    4. # mv /root/usr/bin/google-authenticator /shared/ga/usr/bin/google-authenticator
    5. # mount -o remount,rw /usr
    6. # ln -sf /shared/ga/usr/bin/google-authenticator /usr/local/bin
    7. # mount -o remount,ro /usr
  6. Run google-authenticator to generate secret key
    • # google-authenticator

      https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@dimension6 %3Fsecret%3DSY6SWGJ2LJQUUBWB
      Your new secret key is: SY6SWGJ2LJQUUBWB
      Your verification code is 955354
      Your emergency scratch codes are:
        80482471
        57702466
        32365828
        71778906
        79701606

      Do you want me to update your "~/.google_authenticator" file (y/n) y

      Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

      By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n

      If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
  7. Let's see what's inside .google_authenticator file
    • # cat .google_authenticator

      SY6SWGJ2LJQUUBWB
      " RATE_LIMIT 3 30
      " DISALLOW_REUSE
      " TOTP_AUTH
      80482471
      57702466
      32365828
      71778906
      79701606
  8. Both of secret key which highlighted bold are same
    • # mv /root/.google_authenticator /shared/ga/.google_authenticator
      # ln -sf /shared/ga/.google_authenticator /root
  9. Modify /etc/pam.d/sshd
    • # head -4 /etc/pam.d/sshd

      #%PAM-1.0
      auth       required     pam_google_authenticator.so
      auth       required     pam_audit.so --force-early-summary
      auth       include      system-auth
      Restart sshd service
      # service sshd restart
      And copy /etc/pam.d/sshd to /shared/ga/
      # cp /etc/pam.d/sshd /shared/ga

Booting to another partition and enable GA

When booting into another partition, /shared/ga will still available, just redo the steps with

# ln -sf /shared/ga/lib/security/pam_google_authenticator.so /lib/security
# mount -o remount,rw /usr
# ln -sf /shared/ga/usr/bin/google-authenticator /usr/local/bin 
# mount -o remount,ro /usr
# ln -sf /shared/ga/.google_authenticator /root
# cp /shared/ga/sshd /etc/pam.d/sshd
# service sshd restart

The most important thing is to reuse the secret key when authenticated

High Availability

For HA pair, secure copy (SCP) /shared/ga into destination peer, and redo all the steps above.

Conclusion

Google Authenticator will provide secure access to F5 BIG-IP, and will block SSH brute force.

Happy authentication!

Budi Ang

budi.ang@gmail.com

 

(Note: there are two other articles on DevCentral covering use cases for Google Authenticator, authenticating applications through LTM and through APM.)

Published Oct 31, 2012
Version 1.0
  • This wouldn't be officially supported by F5, but it's a great custom config.

     

     

    Thanks for sharing Budi!

     

     

    Aaron