If you are an active user of Redmine, the contents of which are probably confidential, you probably thought about enhancing the security of the application.
This article describes how to set up authorization in Redmine using one-time passwords (OTP) using the
Google Authenticator mobile application.
This article describes the installation and configuration of Google Authenticator, as well as the redmine_pam_auth plugin for Redmine 2.2 under CentOS 6.
')
Install Google Authenticator
To do this, connect
the Southbridge repository :
rpm -Uhv http://rpms.southbridge.ru/southbridge-rhel6-stable.rpm
Or we install rpm directly, without connecting the repository:
rpm -Uhv http://rpms.southbridge.ru/rhel6/stable/x86_64/google-authenticator-1.0-0.gita096a62.el6.x86_64.rpm
Install pam-mysql
You can do without it, but then you have to add the user “redmine” to the group “shadow” or run Redmine under the root, which in the light of the latest exploits in rails seems like a bad idea.
yum install pam-mysql
Create a pam config for google authenticator authentication
File /etc/pam.d/rpam
Install the authorization plugin via pam for Redmine
We clone a plug-in from github
cd /opt/redmine git clone git://github.com/cardil/redmine-pam-auth.git plugins/redmine_pam_auth
Install pam-devel, which is required to compile the rpam-ruby19 heme
yum install pam-devel
Install the necessary gems to work with redmine-pam-auth (note the exceptions --without - perhaps rmagick, postgresql or something else is used in your configuration). If you are not using a bundler yet, I highly recommend it, it is much more convenient than installing gems into the system manually.
cd /opt/redmine bundle install --without development test sqlite postgresql rmagick --path vendor/bundle
Perform migration plugins
bundle exec rake redmine:plugins:migrate RAILS_ENV="production"
Generating user keys for Google Authenticator
Creating a folder for storing Google Authenticator keys
mkdir /opt/redmine/tmp/google-authenticator
We generate keys (a detailed description of the command line keys can be viewed using the "--help" parameter - you can use the authorization parameters at your discretion).
The "--label=username@example.net" parameter is a label that will help identify the account in the Google Authenticator mobile application. The "--secret = / opt / redmine / tmp / google-authenticator / username" parameter is the keystore, where username is the username in Redmine.
google-authenticator --time-based --disallow-reuse --qr-mode=UTF8 --force --no-rate-limit --window-size=17 --label=username@example.net --secret=/opt/redmine/tmp/google-authenticator/username
Adjust the rights
chown -R redmine:redmine /opt/redmine/tmp/google-authenticator chmod 0600 /opt/redmine/tmp/google-authenticator/username
Installing the free Google Authenticator app
The Google Authenticator mobile app is available for iPhone, Android and BlackBerry.
More information about the installation can be found on the
Google Help page .
During key generation, google-authenticator displays a link like
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/username@example.net%3Fsecret%3DDOYZKVDCN7GUGJH3 - go to it in the browser and scan the displayed QR code from the Google Authenticator mobile application.
Configuring Redmine
In the profile of the user Redmine specify the authentication mode "Pam"
Done!
Now, when logging in, you just need to specify your username, run Google Authenticator on your mobile phone and rewrite the numbers in the password field.
In one of the following articles I will write about Wiki encryption - this will help to avoid data leaks from the Wiki in case the server hosting Redmine is still hacked and loaded the database. Who cares, welcome to
our Habra blog .