Redmine - One Time Password Authentication (OTP)
- Tutorial
If you are an active user of Redmine, the contents of which are probably confidential, you probably thought about enhancing the security of the application.
This article describes how to configure authorization in Redmine through one-time passwords (OTP) using the Google Authenticator mobile application .
The article describes the installation and configuration of Google Authenticator, as well as the redmine_pam_auth plugin for Redmine 2.2 for CentOS 6.
Installing Google Authenticator
To do this, connect the Southbridge repository :
rpm -Uhv http://rpms.southbridge.ru/southbridge-rhel6-stable.rpm
Or we put rpm directly, without connecting the repository:
rpm -Uhv http://rpms.southbridge.ru/rhel6/stable/x86_64/google-authenticator-1.0-0.gita096a62.el6.x86_64.rpm
Install pam-mysql
You can do without it, but then you have to add the “redmine” user to the “shadow” group or run Redmine under root, which in the light of recent exploits in rails seems like a bad idea.
yum install pam-mysql
Create a pam config for authorization via google authenticator
File /etc/pam.d/rpam
#%PAM-1.0
account required pam_mysql.so user= passwd= host= db= table=users usercolumn=login passwdcolumn=login crypt=0
auth required pam_google_authenticator.so user=redmine secret=/opt/redmine/tmp/google-authenticator/${USER}
auth required pam_env.so
session required pam_unix.so
Install the authorization plugin through pam for Redmine
Clone the plugin from github
cd /opt/redmine
git clone git://github.com/cardil/redmine-pam-auth.git plugins/redmine_pam_auth
Install pam-devel, which is required to compile the rpam-ruby19 gem
yum install pam-devel
We install the necessary gems for redmine-pam-auth to work (note the exceptions --without - maybe rmagick, postgresql or something else is used in your configuration). If you are not using bundler yet - I highly recommend it, it is much more convenient than installing gems in the system manually.
cd /opt/redmine
bundle install --without development test sqlite postgresql rmagick --path vendor/bundle
We perform plugin migrations
bundle exec rake redmine:plugins:migrate RAILS_ENV="production"
Generating user keys for Google Authenticator
Create a folder for storing Google Authenticator keys
mkdir /opt/redmine/tmp/google-authenticator
We generate keys (a detailed description of the command line keys can be viewed using the "--help" parameter - you can use the authorization parameters at your discretion).
The parameter "--label=username@example.net" is a label that will help identify your account in the Google Authenticator mobile application. The parameter "--secret = / opt / redmine / tmp / google-authenticator / username" is the keystore, where username is the username in Redmine.
google-authenticator --time-based --disallow-reuse --qr-mode=UTF8 --force --no-rate-limit --window-size=17 --label=username@example.net --secret=/opt/redmine/tmp/google-authenticator/username
Adjust the rights
chown -R redmine:redmine /opt/redmine/tmp/google-authenticator
chmod 0600 /opt/redmine/tmp/google-authenticator/username
Install the free Google Authenticator app
The Google Authenticator mobile app is available for iPhone, Android, and BlackBerry.
Read more about the installation on the Google help page .
During key generation, google-authenticator displays a link like https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/username@example.net%3Fsecret%3DDOYZKVDCN7GUGJH3 - go to it in the browser and scan the displayed QR code from the Google Authenticator mobile application.
Customize Redmine
In the user profile Redmine specify authentication mode "Pam"
Done!
Now, when authorizing, you just need to specify the username, run Google Authenticator on your mobile phone and rewrite the numbers in the password field.
In one of the following articles I will write about Wiki encryption - this will help to avoid data leakage from the Wiki if the server hosting Redmine is still hacked and loaded the database. To whom it is interesting, welcome to our Habra blog .