6 comments

[ 3.0 ms ] story [ 37.0 ms ] thread
I've been doing this for a while using the Google Authenticator PAM plugin[1]. I use the same module to add two factor authentication to both SSH and OpenVPN connections.

[1] http://code.google.com/p/google-authenticator/

Can you share some "how to" pointers - may be a blog post describing how to do this?
Real quick and dirty. But you should be able to get it to work from these notes. Be warned, I don't go into how to set-up OpenVPN. You can find documentation for OpenVPN at http://openvpn.net/index.php/open-source/documentation/howto...

You'll need to install Google Authenticator on your phone to complete the set-up.

Here are my notes: https://invaliddomain.com/openvpn-google-auth-howto.txt (please excuse the lack of a real SSL cert).

Once enabled, your password becomes <password><OTP> .. e.g. Pa55w0rd!987654

Hope that helps.

Or, if you want to do the same thing without trusting the security of your VPN to a third party, and you're willing to do a little more fiddling with configuration files, you can just use libpam-google-authenticator: http://www.howtoforge.com/securing-openvpn-with-a-one-time-p...
You are only trusting the half of the security which is better IMHO. The evil person would need to hack/steal both you and the (likely more careful) third party in order to access your accounts. In your scenario it would only need to hack you to get everything.
Better yet, use passwords plus client side certificates. It prevents these scenarios without requiring you to trust a third party with your two-factor authentication tokens.