I am trying to get Google Authenticator to be configured with my ssh, Luci, and OpenVPN. Is this possible? I have researched the following forums and websites and it looks like it has been discussed before.
I tried checking the OpenWrt wiki and documentation section for any new information on this task but couldn't find anything. Would it be safe to try and work with this old build on a test router? Any tips or advice would greatly be appreciated.
The same problems apply here, you need urgent device access most, whenever the 'internet is down' and while your router doesn't have the slightest idea what time it is (rebooted, no RTC, no battery backed RTC).
Very significant changes in OpenWrt run-time architecture since Chaos Calmer. It could be straightforward, it could be a challenge. Looking at the old Makefiles and current ones would be the first steps.
(Though I concur that requiring Internet connectivity to access a device that is critical to you to have Internet connectivity is asking for trouble.)
I've been researching this topic a bit myself lately, as I too would like to get Google Authenticator working (but only for OpenVPN, not for SSH or Luci that are only accessible locally). From my reading it should only be the additional GA libpam module that is needed, I _think_OpenVPN should not need to be rebuilt to support libpam in general. I've built lots of software from source on Linux, but I've never cross compiled anything. Over the next while I'm going to try and follow the docs to create a build environment in a VM and do some experimentation. I'm sure I will have questions, so I'll be back LOL.
I've created a Debian 9 VM, and I've successfully built a toolchain for my device, as well as an image I will never use. Now I'm trying to cross compile google-authenticator-libpam, but configure fails looking for the PAM header files. The header files do exist in
pam_appl.h _pam_compat.h pam_ext.h _pam_macros.h pam_modules.h pam_modutil.h _pam_types.h
but configure obviously does not find them there. Do I need to move these somewhere else? Create symlinks? Pass it to the ./configure script?
I am a complete newbie at this cross compiling thing so be kind
The best strategy is usually to package it up for OpenWrt properly - and then to just build it as part of the normal image build. Cross-compiling has lots of quirks and OpenWrt's buildroot takes care of a lot of things automatically you'd usually have to handle manually.
Thanks slh. That's good advice. I'm a network guy and while basic building from source on Linux is pretty familiar I'm out of my depth here. I foolishly figured if I had a cross compiler it would be easy to just build one application for my own use.
Actually, making a package looks even more intimidating, but any time I've spent is still a good learning experience regardless. I've a lot more insight into what creating this system entails now. Props to the people doing it.
I'm still picking away at this when I have some spare time. I copied the header and pam library files into the staging directory where configure could find them, and built it with them statically linked so I would hopefully not have to worry about them later. It seems to have cross compiled OK with no errors
blair@Debian1:~/google-authenticator-libpam$ file google-authenticator
google-authenticator: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, not stripped
But alas, it does not run when I move it to the OpenWRT router, giving an error;
./google-authenticator: line 1: syntax error: unexpected ")"
For all the amazing things OpenWRT can do, the lack of support for 2FA does not seem like it should be an insurmountable thing to fix. I'm now looking at trying to create a package system makefile instead. Will post my results in that attempt eventually.
I have implemented this for OpenSSH as follows (as an example):
Save the makefile in a package folder of your choosing (see the "Hello World" example on OpenWRT.org) and add this to the feeds.conf.default file;
"./scripts/feeds update -a"
"./scripts/feeds install openssh-server-pam"
"make menuconfig" and select the packages "openssh-server-pam" in Network - SSH and "libpam-google-authenticator" in Utilities. Make sure to select the M option and not *.
Save the config and run "make -j$(nproc * 1.5)"
Move the packages from //src/bin/packages// to the OpenWrt router and install / force install
You will need to do all the additional configs for Openssh though, like moving Dropbear to another port and change some of the config for Openssh.
Works fine on my OpenWrt 18.06.2 on a BT HomeHub 5A (target: mips_24k)
I hope this helps for the Google Authenticator bit. I have not tested this for OpenVPN.
Thank you redorbluepill and lucize!!! I'll see if I can get this working now with OpenVPN and report back in a bit.
Obviously having the correct time is critical to use these token based auth systems. I'm only interested in using them for remote access as a more flexible "something you have" than certs. In theory if there is internet to allow remote access there should be NTP as well. I would obviously not recommend using this internally when internet/NTP may not be available. Using an internal NTP server with an RTC could be a work around for that though. GA lets you choose a token code range that allows for several minutes of drift should that be necessary.