IT notes

openvpn 2fa

Setup OpenVPN + 2fa The way it works is that openvpn besides only allowing guest with a valid certificate it will prompt users for a username and password in where username is a system user and password is the OTP generated by the google authenticator. First you need to install google-authenticator: pkg install pam_google_authenticator Next create the file /etc/pam.d/openvpn with this contents: auth required /usr/local/lib/pam_google_authenticator.so The openvpn configuration should look like this:

two factor authentication with ssh

Two-Factor-Authentication “2FA” with SSH Install google authenticator and libqrencode: pkg install pam_google_authenticator pkg install libqrencode Edit /etc/pam.d/sshd an add the following line to the auth section: # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass auth required /usr/local/lib/pam_google_authenticator.so Add this to/etc/ssh/sshd_config: CallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive This setup will do a “publickey + verification code”, without password, in case you require password edit the /etc/pam.