In my previous article I demonstrated how to use Google Authenticator to provide two-factor authentication for ESXi using the custom VIB that I had built. In this article, I will show you how to compile Google Authenticator to run on ESXi as well as an additional customizations that can be made to the source code to support multiple users.
Disclaimer: This is not officially supported by VMware, use at your own risk
Prerequisite:
- Download and install 32-bit Linux distribution. In my lab, I used latest CentOS 6.2
- Install pam-devel package (CentOS) or libpam0g-dev package (Ubuntu). You can reference this blog here for more details on installation
- Ensure you have both gcc and make installed
Step 1 - Download Google Authenticator source code by running the following command:
wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
Step 2 - Extract the source code by running the following command and change into the libpam-google-authenticator-1.0 directory:
tar -jxf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0
Step 3 - Edit pam_google_authenticator.c and towards the top of the file comment out the following three lines which should look like this:
//#include <sys/fsuid.h> //#define HAS_SETFSUID //#endif
Step 4 - By default the SECRET file is stored in /.google-authenticator and we can change the path by modifying both google-authenticator.c and pam_google_authenticator.c by editing the SECRET macro file which should look like the following:
#define SECRET "/etc/vmware/.google_authenticator"
Google Authenticator supports multiple users by default and you can also provide this support in ESXi by leveraging the $USER OS environmental variable within the SECRET file location. This would allow each user to generate and store their own SECRET file. To do so, set the path to /etc/vmware/$USER/.google-authenticator and the username will automatically be populated when configuring Google Authenticator for each user.
Note: If you are going to create a custom VIB and would like to support multiple users, you will need to know the usernames in advance so you can create the dummy .google-authenticator file for each user. This is required so the files will automatically persist after setting up Google Authenticator.
Step 5 - Save the changes and then type "make" which will then compile the source code and produce google-authenticator binary and PAM module pam_google_authenticator.so in the same directory.
Step 6 - If you decided to create your own custom VIB, ensure you include an empty secret file so when you go and configure it, the changes will be saved. If you do not wish to lower the acceptance level of your ESXi host for the custom VIB, an alternative trick is to store the google-authenticator binary and PAM module in a local datastore as well as the secret file and copy them over using either /etc/rc.local.d/local.sh for ESXi 5.1 or /etc/rc.local for ESXi 5.0. Here is a sample of what that should look like:
morpholo says
Hi, sorry for gravedigging a 2-year old post, but it seems that the code snippets in Step 3 and 4 are gone. I know they probably don't apply to the current libpam-googleauthenticator sources anymore, but it would be good to know what macros should be "neutered" to get the module working on ESXi.
Thanks,
M.
William Lam says
It's fixed. Sorry about that, this happened during my blog migration couple years back and I couldn't catch every code snippet that needed to be converted