Redmine - One Time Password Authentication (OTP)

  • Tutorial
Google authenticator
If you are an active user of Redmine, the contents of which are probably confidential, you probably thought about enhancing the security of the application.

This article describes how to configure authorization in Redmine through one-time passwords (OTP) using the Google Authenticator mobile application .

The article describes the installation and configuration of Google Authenticator, as well as the redmine_pam_auth plugin for Redmine 2.2 for CentOS 6.

Installing Google Authenticator

To do this, connect the Southbridge repository :
rpm -Uhv

Or we put rpm directly, without connecting the repository:
rpm -Uhv

Install pam-mysql

You can do without it, but then you have to add the “redmine” user to the “shadow” group or run Redmine under root, which in the light of recent exploits in rails seems like a bad idea.

yum install pam-mysql

Create a pam config for authorization via google authenticator

File /etc/pam.d/rpam

account	 required user= passwd= host= db= table=users usercolumn=login passwdcolumn=login crypt=0
auth       required user=redmine secret=/opt/redmine/tmp/google-authenticator/${USER}
auth       required
session    required

Install the authorization plugin through pam for Redmine

Clone the plugin from github
cd /opt/redmine
git clone git:// plugins/redmine_pam_auth

Install pam-devel, which is required to compile the rpam-ruby19 gem
yum install pam-devel

We install the necessary gems for redmine-pam-auth to work (note the exceptions --without - maybe rmagick, postgresql or something else is used in your configuration). If you are not using bundler yet - I highly recommend it, it is much more convenient than installing gems in the system manually.
cd /opt/redmine
bundle install --without development test sqlite postgresql rmagick --path vendor/bundle

We perform plugin migrations
bundle exec rake redmine:plugins:migrate RAILS_ENV="production"

Generating user keys for Google Authenticator

Create a folder for storing Google Authenticator keys
mkdir /opt/redmine/tmp/google-authenticator

We generate keys (a detailed description of the command line keys can be viewed using the "--help" parameter - you can use the authorization parameters at your discretion).
The parameter "" is a label that will help identify your account in the Google Authenticator mobile application. The parameter "--secret = / opt / redmine / tmp / google-authenticator / username" is the keystore, where username is the username in Redmine.
google-authenticator --time-based --disallow-reuse --qr-mode=UTF8 --force --no-rate-limit --window-size=17 --secret=/opt/redmine/tmp/google-authenticator/username

Adjust the rights
chown -R redmine:redmine /opt/redmine/tmp/google-authenticator
chmod 0600 /opt/redmine/tmp/google-authenticator/username

Install the free Google Authenticator app

The Google Authenticator mobile app is available for iPhone, Android, and BlackBerry.

Read more about the installation on the Google help page .

During key generation, google-authenticator displays a link like|0&cht=qr&chl=otpauth://totp/ - go to it in the browser and scan the displayed QR code from the Google Authenticator mobile application.

Customize Redmine

In the user profile Redmine specify authentication mode "Pam"


Now, when authorizing, you just need to specify the username, run Google Authenticator on your mobile phone and rewrite the numbers in the password field.

In one of the following articles I will write about Wiki encryption - this will help to avoid data leakage from the Wiki if the server hosting Redmine is still hacked and loaded the database. To whom it is interesting, welcome to our Habra blog .

Also popular now: