Last year, I came across an interesting open source project called Google Authenticator, which provides two-factor authentication by using both a PAM (Pluggable Authentication Module) module and a mobile application for generating one-time passcodes. This project sparked my curiosity and I wanted to see if I could get Google Authenticator to run on ESXi to provide additional security by requiring two-factor authentication when attempting to login to the ESXi Shell. After several attempts, I failed to get Google Authenticator working on ESXi and eventually gave up. I reported the behavior I saw in my environment in the Issues section of the project which did not yield any responses and I thought that was the end of that experiment.
Almost eight months later, I received a surprising email from two VMware engineers who were also interested in the Google Authenticator project and were able to figure out how to get Google Authenticator to work on ESXi. In sharing their findings, it turns out that the solution was actually quite simple and it just required commenting out three lines of C Macros in the Google Authenticator source code (tweak is documented in this blog post here). I was able to confirm the engineers findings in my home lab and was also able to build a custom Google Authenticator VIB for ESXi to help with the setup.
Disclaimer: This is not officially supported by VMware, use at your own risk
Installing Google Authenticator Custom VIB / Offline Bundle
Prerequisite:
- Ensure that your ESXi host's clock is in sync with a proper time source (skew should be < 4minutes)
- Keep a separate SSH connection open to your ESXi host, in case something goes wrong you can easily revert the changes else you can potentially lock yourself out
Step 1 - Download either the Google Authenticator VIB vghetto-google-auth.vib or offline bundle vghetto-google-auth.zip and upload it to the datastore of your ESXi host
Step 2 - You will need to change the acceptance level of your ESXi host to Community Supported as this is a requirement for any custom VIBs created. Run the following ESXCLI command:
esxcli software acceptance set --level CommunitySupported
Step 3 - To install Google Authenticator VIB, you will need to run the following ESXCLI command and specify the full datastore path of the VIB:
esxcli software vib install -v /vmfs/volumes/mini-local-datastore-1/vghetto-google-auth.vib -f
To install the Google Authenticator offline bundle, you will run the same command but instead of using the -v argument, you will specify the -d
Step 4 - You can verify the Google Authenticator was installed successfully by running the following ESXCLI command:
esxcli software vib get -n vGhetto-goog-auth
Configuring Google Authenticator & ESXi Configurations
Step 1 - Download the Google Authenticator app for your mobile phone. In this example, I am using the iPhone's Google Authenticator mobile app.
Step 2 - Next you will need to configure Google Authenticator for the ESXi host, run the google-authenticator command in the ESXi Shell which will start the setup.
You should see a URL as well as the secret key which you will need to enter into your Google Authenticator mobile app. You can either manually add your ESXi host into the mobile app by entering the secret key OR copy and paste the URL into a web browser which provides a QRC code that the mobile app can just read.
For all the prompted questions, you can use yes for the defaults.
Step 3 - You will need to add the following configuration to your SSHD configuration under /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
Step 4 - You will also need to add the following entry to the following PAM configuration files /etc/pam.d/login and /etc/pam.d/sshd
auth required pam_google_authenticator.so
To add the entry into both files on the ESXi Shell, run the following two commands:
sed -i -e '3iauth required pam_google_authenticator.so\' /etc/pam.d/login
sed -i -e '3iauth required pam_google_authenticator.so\' /etc/pam.d/sshd
Note: To ensure the above configuration persists after a reboot, you will need to add the two sed commands to /etc/rc.local.d/local.sh for ESXi 5.1 or /etc/rc.local for ESXi 5.0 hosts which will automatically add the entries upon bootup.
Finally, you will need to restart the SSH daemon for the changes to go into effect by running the following command:
/etc/init.d/SSH restart
Step 5 - To validate that everything was configured correctly, open a new SSH session to your ESXi host. Instead of seeing the usual password prompt, you should now see a verification code prompt. Open up your Google Authenticator mobile app and enter the code that is displayed for your ESXi host and then enter the root password.
If everything was correct, you should now be authorized and logged into your ESXi host
Though the configuration could be a bit more automated including adding each ESXi host to your mobile application, this is a pretty nifty and free solution to provide two-factor authentication for your ESXi hosts. I am curious to see if others are interested in such functionality within ESXi or if this would be useful? Feel free to leave a comment.
Big thanks to VMware engineers who helped me get this solution to work!
Pinballas says
Hi William
Great post. On this could you please share if the following is possible or coming down the line.
Existing "OpenOTP" installation using Google Auth and OpenOTP communication with the AD 2008 Radius.
Got this working 100% with VMware View 5.x
The question is if it's at all possible to integrate OpenOTP + Google Auth gaining access to Virtual Center 5.x, SSO or the vMA appliance
Thanks again for great reading
William Lam says
I've not used OpenOTP, so I can't say if it'll work or not. If you are interested in OpenOTP/GAuth, I would highly recommend you file an FR or contact your local account rep to provide more details.
vcdxorbust.com says
I posted a walkthrough for how to do Google Authenticator with VMware View using freeRADIUS and totpcgi in an active directory environment.
http://vcdxorbust.com/totpcgi-and-freeradius-with-vmware-view/
Scott Webber says
This comment has been removed by the author.
Kattrap says
You are in essence changing a shared account (root) to a single user. If I get hit by a bus, I wouldn't want my coworkers to need to go through some complicated recovery process.
As a consultant that has seen a bit of intentional or not lost passwords through staff changes I would probably tell a client with 2factor'ed esxi servers to just rebuild (at least i hope they have vcenter and shared storage).
My other thought, with all the phone-based 2factor auth, is that when I really need to use it, there will be something preventing me (dead battery/ broken phone/ lost). While I really like the idea of 2factor auth, anything that relies on yet another external gadget will fail.
Other than all that debbie downer stuff, this is a really cool integration. 🙂
Hongkun Xi says
There is emergency scratch codes in your SECRET file, in this case is /etc/vmware/.google-authenticator. These code is for situations like your mobile devices are lost at home, dead battery, etc. like you mentioned. Each emergency code can only be used once.
Kattrap says
Awesome! Thanks for that reply! It still doesn't get away from turning a shared root account into a single user account. Could it work somehow with the AD integration or is that a separate PAM module? I'll admit that I'm not using the AD integration right now, but ssh is also usually shutdown.
William Lam says
The above example was just to show this 2FA was possible w/GAuth and to keep things simple I used just root, though even with a single account you can register it with multiple devices. GAuth itself also supports multiple user accounts and with a small change in the source code, you can easily support multiple users with their own SECRET file.
Jeff Liao says
When localtime in Taiwan(CST+8) (Asia/Taipei) can't work.
Could you give me a direction to fix it ?
Thanks a lot.
Fathul says
Hi William,
Quick check if this setup works for login vcenter 8.0?