From the mind of a G33k
Here are the steps to a successful deployment of CentOS 7 with AD & Google Authenticator.
I use vim...It's my favorite editor but it is not required. You can replace vim with nano or any text editor for that matter :)
- Install the required packages for pam to utilize AD servers
a. yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
b. Edit your /etc/resolve.conf to route all DNS traffic to your Domain DNS server (ex. if your AD server is 192.168.1.1 and your domain is test.lan you should set "nameserver 192.168.1.1" and "search test.lan")
- Join your linux box to the domain (ex. if your Active Directory user is "aduser" and your domain is "test.lan")
a. realm join --user=aduser test.lan
- Change your SSSD configuration to support domain names instead of fully qualified domain names
a. vim /etc/sssd/sssd.conf
b. change "use_fully_qualified_names = True" to "use_fully_qualified_names = False"
c. change "fallback_homedir = /home/%u@%d" to "fallback_homedir = /home/%u"
- Restart SSSD
a. systemctl restart sssd
b. systemctl daemon-reload
- Check that you're able to access an AD account from your domain (This will display the UID, GUID, and Groups)
a. id aduser
Enable Google Authenticator
- Enable the EPEL repo
a. yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Note: You'll be required to accept the GPG key in order to add this repository
- Install Google Authenticator
a. yum install google-authenticator
- Edit PAM to enable google authenticator
a. vim /etc/pam.d/sshd
b. Add "auth required pam_google_authenticator.so nullok" to the end of the file and save
- Enable Google Authenticator for SSH
a. vim /etc/ssh/sshd_config
b. comment out "ChallengeResponseAuthentication no" by changing it to "#ChallengeResponseAuthentication no"
c. uncomment "#ChallengeResponseAuthentication yes" by changing it to "ChallengeResponseAuthentication yes"
d. Restart ssh with "systemctl restart sshd"
- Run google-authenticator for the users you want to use it
a. Login to any user and type "google-authenticator" and follow the prompts.
b. You'll be presented with a barcode and backup keys which you'll scan into your Google Authenticator app on your mobile device.
Note: Make sure you save these backup keys!