Two-factor authentication is all around us now, and Google has provided one of those soft authenticators, the likes of which Battle.net use for their gaming platform. The only difference is, you can integrate Google’s implementation anywhere you like (at least on *nix platforms). You’ll find plenty of documentation on how to achieve this to implement 2-factor auth on SSH or such services, but I wanted to centralize this and use FreeRADIUS so that more services can use it, namely web services.

The hardest part was actually the PAM syntax; here’s how I achieved it:

  • aptitude install g++ make autoconf libtool libpam0g-dev
  • git clone https://github.com/google/google-authenticator && cd google-authenticator && ./bootstrap.sh && ./configure && make install
  • Set up Freeradius for PAM auth; this is fairly easy, and Google is your friend 😉
  • /etc/pam.d/radiusd:
# Google Auth + LDAP
auth required /usr/local/lib/security/pam_google_authenticator.so user=0 secret=/radius/${USER}/google_auth forward_pass
auth required pam_ldap.so use_first_pass

And that’s it; FreeRADIUS is now tied in to PAM, which in turns uses Google Auth + your LDAP server :-)