Pages

Thursday, 18 September 2014

How to Use Google Authenticator To Provide Two-Factor Authentication For ESXi?

 


Summary

Google Authenticator is a project that provides two-factor authentication by using both a PAM (Pluggable Authentication Module) module and a mobile application for generating one-time passcodes. In ESXi Google Authenticator, we modified the source code of Google-Authenticator to enable two-step authentication on ESXi (5.0, 5.1).

Features

  • Two-Factor Authentication for ESXi Shell and SSH access
  • Supports multiple administrators login on esx5.1, and single admin (root) on esx5.0
  • Support for 30-second TOTP codes
  • Support for emergency scratch codes
  • Protection against replay attacks
Disclaimer: This is not officially supported by VMware, use at your own risk


Installing Google Authenticator Custom VIB / Offline Bundle



Prerequisite:
  • Ensure that your ESXi host's clock is in sync with a proper time source (skew should be < 4minutes)
  • Keep a separate SSH connection open to your ESXi host, in case something goes wrong you can easily revert the changes else you can potentially lock yourself out
Step 1 - Download either the Google Authenticator VIB. Here is Link to download this then i extracted this file named esx_google-authenticator_1.0.0-0.vib and using winSCP i copied it in ESXi host /tmp directory.
 
Step 2 - You will need to change the acceptance level of your ESXi host to Community Supported as this is a requirement for any custom VIBs created.
 
 
Step 3 - To install Google Authenticator VIB, you will need to run the following ESXCLI command and specify the full path of the VIB:
 
 
Step 4 - You can verify the Google Authenticator was installed successfully by running the following ESXCLI command:
esxcli software vib get -n esx_google-authenticator
 
 
 
Configuring Google Authenticator & ESXi Configurations


Step 1 - Download the Google Authenticator app for your mobile phone. Here is link for the Android Phone
Step 2 - Next you will need to configure Google Authenticator for the ESXi host, run the google-authenticator command in the ESXi Shell which will start the setup.
You should see a URL as well as the secret key which you will need to enter into your Google Authenticator mobile app. You can either manually add your ESXi host into the mobile app by entering the secret key OR copy and paste the URL into a web browser which provides a QRC code that the mobile app can just read.
For all the prompted questions, you can use yes for the defaults.
Step 3 - You will need to add the following configuration to your SSHD configuration under /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
Step 4 - You will also need to add the following entry to the following PAM configuration files /etc/pam.d/login and/etc/pam.d/sshd
auth   required   pam_google_authenticator.so
To add the entry into both files on the ESXi Shell, run the following two commands
sed -i -e '3iauth       required     pam_google_authenticator.so\' /etc/pam.d/login
sed -i -e '3iauth       required     pam_google_authenticator.so\' /etc/pam.d/sshd
Note:  To ensure the above configuration persists after a reboot, you will need to add the two sed commands to/etc/rc.local.d/local.sh for ESXi 5.1 or /etc/rc.local for ESXi 5.0 hosts which will automatically add the entries upon bootup. 
Finally, you will need to restart the SSH daemon for the changes to go into effect by running the following command:
/etc/init.d/SSH restart
Step 5 - To validate that everything was configured correctly, open a new SSH session to your ESXi host. Instead of seeing the usual password prompt, you should now see a verification code prompt. Open up your Google Authenticator mobile app and enter the code that is displayed for your ESXi host and then enter the root password.

This is a pretty nifty and free solution to provide two-factor authentication for your ESXi hosts. 


 

No comments:

Post a Comment