Configure Google Authenticator on CentOS 7 – Part 1

Intro

As part of the rebuild on my Plex Media Server using CentOS 7, I had intended to configure Google Authenticator but hadn’t gotten around to doing it yet.  As I got into the process recently I discovered that many of the steps that I had used when configuring my CentOS 6 Digital Ocean droplet were out of date to the point of uselessness.

I also discovered that most of the guides that I found either relied on the older 1.0 code release which was also outdated or used a unknown RPM repo.  As such I decided to write up the process that I followed to use the code downloaded from the official GitHub repository.

NOTE: If you are doing this in an enterprise setting, it is likely that your company has particular settings and restrictions that you may need to adhere to (e.g., not running things as the root user). Also, please note that all of my examples use the CentOS defaults unless specifically noted.

Install the pre-requisites

As I have started with a minimal CentOS 7 install (since I don’t have any need for a GUI or the other extras) many of the packages I needed were not part of the baseline install set.  Here is the list of additional packages that I installed (note that this will get quite a few items to satisfy numerous dependencies)

  • autoconf
  • automake
  • bind-utils
  • gcc
  • libtool
  • make
  • nmap-netcat
  • ntp
  • pam-devel
  • unzip
  • wget
[root@server ~]# yum -y install autoconf automake bind-utils gcc libtool make nmap-netcat ntp pam-devel unzip wget
[root@server ~]# nslookup
0.centos.pool.ntp.org
Server: 75.75.75.75
Address: 75.75.75.75#53

Non-authoritative answer:
Name: 0.centos.pool.ntp.org
Address: 104.236.155.134

Name: 0.centos.pool.ntp.org
Address: 66.228.42.59

Name: 0.centos.pool.ntp.org
Address: 104.156.99.226

Name: 0.centos.pool.ntp.org
Address: 74.117.214.3

Configure and test NTP

An essential part of the 2FA system is an accurate clock.  This is because at it’s heart the Google Authenticator system is a Time-based One-time Password Algorithm (TOTP).  If you have too much skew between the clock on the server and the clock on the client, then your codes will fail intermittently.

Test NTP pool DNS resolution

First you need make sure that the name used by the NTP configuration file for the server will resolve to an IP address.

CentOS 7 uses the following as the NTP server pool set:

  • 0.centos.pool.ntp.org
  • 1.centos.pool.ntp.org
  • 2.centos.pool.ntp.org
  • 3.centos.pool.ntp.org
[root@server ~]# nslookup
0.centos.pool.ntp.org
Server: 75.75.75.75
Address: 75.75.75.75#53

Non-authoritative answer:
Name: 0.centos.pool.ntp.org
Address: 104.236.155.134

Name: 0.centos.pool.ntp.org
Address: 66.228.42.59

Name: 0.centos.pool.ntp.org
Address: 104.156.99.226

Name: 0.centos.pool.ntp.org
Address: 74.117.214.3

Test Network connectivity

Next up you should test that you actually have baseline connectivity to the NTP endpoint.  In general this should just work, like the DNS resolution did, however if you are running your server behind an IPS or a network firewall, it is possible that you will need to explicitly allow outbound NTP connections over port 53/UDP.

Please note that in the following code snippet, a result of zero (0) indicates a successful connection, whereas a result of one (1) indicates a failure to connect to the endpoint.

[root@server ~]# echo | nc -u -w1 0.centos.pool.ntp.org 53 >/dev/null 2>&1 ;echo $?0

Test basic NTP functionality

Now that you have tested (and resolved any issues you found) your DNS resolution and baseline connectivity to the NTP endpoint you need to perform an actual application layer test.

[root@server ~]# ntpdate -q 0.centos.pool.ntp.org
server 208.75.88.4, stratum 2, offset -0.006191, delay 0.10498
server 184.105.182.7, stratum 2, offset -0.001065, delay 0.11761
server 52.0.56.137, stratum 3, offset -0.005018, delay 0.06509
server 142.54.181.202, stratum 2, offset -0.000588, delay 0.09003
28 Aug 17:07:05 ntpdate[16085]: adjust time server 142.54.181.202 offset -0.000588 sec

Configure NTP daemon for startup

If you get a complete test, the next step will be to configure the NTP daemon to startup at system boot and to start the service.

[root@server ~]# systemctl enable ntpd
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to
/usr/lib/systemd/system/ntpd.service.
[root@server ~]# systemctl start ntpd
[root@server ~]# systemctl status ntpd
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2016-08-28 17:08:33 EDT; 2h 34min ago
Process: 16150 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 16151 (ntpd)
CGroup: /system.slice/ntpd.service
└─16151 /usr/sbin/ntpd -u ntp:ntp -g

Aug 28 17:08:33 server ntpd[16151]: Listen normally on 2 lo 127.0.0.1 UDP 123
Aug 28 17:08:33 server ntpd[16151]: Listen normally on 3 ens192 192.168.1.120 UDP 123
Aug 28 17:08:33 server ntpd[16151]: Listen normally on 4 ens192 fe80::20c:29ff:fe7e:af2f UDP 123
Aug 28 17:08:33 server ntpd[16151]: Listen normally on 5 lo ::1 UDP 123
Aug 28 17:08:33 server ntpd[16151]: Listen normally on 6 ens192 2601:901:8001:a070:20c:29ff:fe7e:af2f UDP 123
Aug 28 17:08:33 server ntpd[16151]: Listening on routing socket on fd #23 for interface updates
Aug 28 17:08:33 server systemd[1]: Started Network Time Service.
Aug 28 17:08:33 server ntpd[16151]: 0.0.0.0 c016 06 restart
Aug 28 17:08:33 server ntpd[16151]: 0.0.0.0 c012 02 freq_set kernel -115.767 PPM
Aug 28 17:08:34 server ntpd[16151]: 0.0.0.0 c615 05 clock_sync

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>