on 30-Oct-2012 22:01
Most of us have been using hardware or software token to prove identity and to provide Two-Factor Authentication, either commercial and free. Google Authenticator is the first choice for mobile 2FA, because it's free and it runs on Smartphone (iOS & Android) , BlackBerry Socialphone and even on tablet. Amazon Web Services, DropBox and LastPass began to support Google Authenticator, and of course Linux/Unix SSH host. Since it works on SSH host, why can't it work on F5 BIG-IP TMOS as well? This article describes the steps to enable Google Authenticator on BIG-IP.
When booting into another partition, /shared/ga will still available, just redo the steps with
# ln -sf /shared/ga/lib/security/pam_google_authenticator.so /lib/security
# mount -o remount,rw /usr
# ln -sf /shared/ga/usr/bin/google-authenticator /usr/local/bin
# mount -o remount,ro /usr
# ln -sf /shared/ga/.google_authenticator /root
# cp /shared/ga/sshd /etc/pam.d/sshd
# service sshd restart
The most important thing is to reuse the secret key when authenticated
For HA pair, secure copy (SCP) /shared/ga into destination peer, and redo all the steps above.
Google Authenticator will provide secure access to F5 BIG-IP, and will block SSH brute force.
Happy authentication!
Budi Ang
(Note: there are two other articles on DevCentral covering use cases for Google Authenticator, authenticating applications through LTM and through APM.)
Thanks for sharing Budi!
Aaron