-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Google Authenticator PAM
This module installs google authenticator as a package for the libpam. This allows you to use google authenticator to generates TOTP (Time-based One-Time Password) when signing into services on your Synology, with services such as ssh.
Installing this package alone would have no effects, as it will require users to manually utilised the installed .so file in their authentication service.
See other guides, e.g., this, for a more in-depth guide on how to configure google authenticator on a server.
The following setups are for scenarios such that ssh into the server with a password requires TOTP, and ssh with public-key auth will not. This is suitable for me as I always use public-key to access my server. However, occasionally I also want to access my NAS on someone else's machine with a password. With google authenticator, any attempt on logging in with a password will also prompt TOTP.
Use your prefer editor to edit your /etc/ssh/sshd_config file (require sudo)
$ sudo vim /etc/ssh/sshd_config# the following is for ssh-ing with password
PasswordAuthentication yes
PermitEmptyPasswords no
# the following is needed for using challenge-response authentication
ChallengeResponseAuthentication yes
# the follow probably had already been set
UsePAM yes
# for good measure, never permits root login
PermitRootLogin no$ sudo vim /etc/pam.d/sshd ...
auth requisite pam_syno_ipblocklist.so
+ auth required /var/packages/google-authenticator-libpam/target/lib/security/pam_google_authenticator.so nullok
auth [success=3 default=ignore] pam_unix.so
auth [success=2 default=ignore] pam_winbind.so use_first_pass
auth [success=1 default=ignore] pam_ldap.so
auth [default=die] pam_syno_log_fail.so [SSH]
auth [default=done] pam_syno_log_success.so [SSH] log=no
account [success=3 default=ignore] pam_unix.so
...Use the packaged binary to generates the config for google_authenticator
$ sc-google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/soraxas@hostname%3Fsecret%XXXXXXXXXXXXXXXX
...$ cat ~/.google_authenticator
XXXXXXXXXXXXXXXXXXX
" RATE_LIMIT X XX XXXXXXXXX XXXXXXXXX
" WINDOW_SIZE XX
" DISALLOW_REUSE XXXXXXX
" TOTP_AUTH
XXXXXXXX
XXXXXXXX
XXXXXXXX
XXXXXXXX
XXXXXXXXMake sure that the file is less permissive than 600, e.g.
sudo chmod 600 ~/.google_authenticatorNote: on some NAS it might already contains their own version of google-authenticator at system path, which is likely how Synology implements their own customised version of their 2FA solution. However, it was found to generates invalid base64 encoded secrets (which is not usable on common 2FA android app). See #4852 for details. Therefore, the version that this package provides is symlinked as sc-google-authenticator instead to avoid name conflict.
The result is any ssh to the server without public key auth will require you to also provide a verification code from your app
$ ssh synology
(foo@synology) Verification code:
(foo@synology) Password:
foo@synology ~ $ - Home
-
Packages
- Adminer
- Aria2
- Beets
- BicBucStriim
- Borgmatic
- cloudflared
- Comskip
- Debian Chroot
- Deluge
- Duplicity
- dnscrypt-proxy
- FFmpeg
- FFsync
- Flexget
- Gstreamer
- Google Authenticator
- Home Assistant Core
- Jellyfin
- Kiwix
- [matrix] Synapse homeserver
- MinIO
- Mono
- Mosh
- Mosquitto
- Node-Exporter
- Radarr/Sonarr/Lidarr/Jackett
- SaltStack
- SickBeard Custom
- SynoCLI-Disk
- SynoCLI-Devel
- SynoCLI-File
- SynoCLI-Kernel
- SynoCLI-Misc.
- SynoCLI-Monitor
- SynoCLI-NET
- Synogear
- Concepts
- Development
- Resources