Redmine - One Time Password Authentication (OTP)

  • Tutorial
Google authenticator
If you are an active user of Redmine, the contents of which are probably confidential, you probably thought about enhancing the security of the application.

This article describes how to configure authorization in Redmine through one-time passwords (OTP) using the Google Authenticator mobile application .

The article describes the installation and configuration of Google Authenticator, as well as the redmine_pam_auth plugin for Redmine 2.2 for CentOS 6.




Installing Google Authenticator


To do this, connect the Southbridge repository :
rpm -Uhv http://rpms.southbridge.ru/southbridge-rhel6-stable.rpm


Or we put rpm directly, without connecting the repository:
rpm -Uhv http://rpms.southbridge.ru/rhel6/stable/x86_64/google-authenticator-1.0-0.gita096a62.el6.x86_64.rpm


Install pam-mysql


You can do without it, but then you have to add the “redmine” user to the “shadow” group or run Redmine under root, which in the light of recent exploits in rails seems like a bad idea.

yum install pam-mysql


Create a pam config for authorization via google authenticator


File /etc/pam.d/rpam

#%PAM-1.0
account	 required   pam_mysql.so user= passwd= host= db= table=users usercolumn=login passwdcolumn=login crypt=0
auth       required   pam_google_authenticator.so user=redmine secret=/opt/redmine/tmp/google-authenticator/${USER}
auth       required   pam_env.so
session    required   pam_unix.so


Install the authorization plugin through pam for Redmine


Clone the plugin from github
cd /opt/redmine
git clone git://github.com/cardil/redmine-pam-auth.git plugins/redmine_pam_auth


Install pam-devel, which is required to compile the rpam-ruby19 gem
yum install pam-devel


We install the necessary gems for redmine-pam-auth to work (note the exceptions --without - maybe rmagick, postgresql or something else is used in your configuration). If you are not using bundler yet - I highly recommend it, it is much more convenient than installing gems in the system manually.
cd /opt/redmine
bundle install --without development test sqlite postgresql rmagick --path vendor/bundle


We perform plugin migrations
bundle exec rake redmine:plugins:migrate RAILS_ENV="production"


Generating user keys for Google Authenticator


Create a folder for storing Google Authenticator keys
mkdir /opt/redmine/tmp/google-authenticator


We generate keys (a detailed description of the command line keys can be viewed using the "--help" parameter - you can use the authorization parameters at your discretion).
The parameter "--label=username@example.net" is a label that will help identify your account in the Google Authenticator mobile application. The parameter "--secret = / opt / redmine / tmp / google-authenticator / username" is the keystore, where username is the username in Redmine.
google-authenticator --time-based --disallow-reuse --qr-mode=UTF8 --force --no-rate-limit --window-size=17 --label=username@example.net --secret=/opt/redmine/tmp/google-authenticator/username


Adjust the rights
chown -R redmine:redmine /opt/redmine/tmp/google-authenticator
chmod 0600 /opt/redmine/tmp/google-authenticator/username


Install the free Google Authenticator app


The Google Authenticator mobile app is available for iPhone, Android, and BlackBerry.

Read more about the installation on the Google help page .

During key generation, google-authenticator displays a link like https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/username@example.net%3Fsecret%3DDOYZKVDCN7GUGJH3 - go to it in the browser and scan the displayed QR code from the Google Authenticator mobile application.

Customize Redmine

In the user profile Redmine specify authentication mode "Pam"

Done!


Now, when authorizing, you just need to specify the username, run Google Authenticator on your mobile phone and rewrite the numbers in the password field.

In one of the following articles I will write about Wiki encryption - this will help to avoid data leakage from the Wiki if the server hosting Redmine is still hacked and loaded the database. To whom it is interesting, welcome to our Habra blog .

Also popular now: