Redmine - one-time password authentication (OTP)

If you are an active user of Redmine, the contents of which are probably confidential, you probably thought about enhancing the security of the application.



This article describes how to set up authorization in Redmine using one-time passwords (OTP) using the Google Authenticator mobile application.



This article describes the installation and configuration of Google Authenticator, as well as the redmine_pam_auth plugin for Redmine 2.2 under CentOS 6.

')

Install Google Authenticator

To do this, connect the Southbridge repository :

rpm -Uhv http://rpms.southbridge.ru/southbridge-rhel6-stable.rpm 

Or we install rpm directly, without connecting the repository:

 rpm -Uhv http://rpms.southbridge.ru/rhel6/stable/x86_64/google-authenticator-1.0-0.gita096a62.el6.x86_64.rpm 

Install pam-mysql

You can do without it, but then you have to add the user “redmine” to the group “shadow” or run Redmine under the root, which in the light of the latest exploits in rails seems like a bad idea.

 yum install pam-mysql 

Create a pam config for google authenticator authentication

File /etc/pam.d/rpam

 #%PAM-1.0 account required pam_mysql.so user=<redmine_db_user> passwd=<redmine_db_password> host=<redmine_db_host> db=<redmine_dbname> table=users usercolumn=login passwdcolumn=login crypt=0 auth required pam_google_authenticator.so user=redmine secret=/opt/redmine/tmp/google-authenticator/${USER} auth required pam_env.so session required pam_unix.so 

Install the authorization plugin via pam for Redmine

We clone a plug-in from github

 cd /opt/redmine git clone git://github.com/cardil/redmine-pam-auth.git plugins/redmine_pam_auth 

Install pam-devel, which is required to compile the rpam-ruby19 heme

 yum install pam-devel 

Install the necessary gems to work with redmine-pam-auth (note the exceptions --without - perhaps rmagick, postgresql or something else is used in your configuration). If you are not using a bundler yet, I highly recommend it, it is much more convenient than installing gems into the system manually.

 cd /opt/redmine bundle install --without development test sqlite postgresql rmagick --path vendor/bundle 

Perform migration plugins

 bundle exec rake redmine:plugins:migrate RAILS_ENV="production" 

Generating user keys for Google Authenticator

Creating a folder for storing Google Authenticator keys

 mkdir /opt/redmine/tmp/google-authenticator 

We generate keys (a detailed description of the command line keys can be viewed using the "--help" parameter - you can use the authorization parameters at your discretion).

The "--label=username@example.net" parameter is a label that will help identify the account in the Google Authenticator mobile application. The "--secret = / opt / redmine / tmp / google-authenticator / username" parameter is the keystore, where username is the username in Redmine.

 google-authenticator --time-based --disallow-reuse --qr-mode=UTF8 --force --no-rate-limit --window-size=17 --label=username@example.net --secret=/opt/redmine/tmp/google-authenticator/username 

Adjust the rights

 chown -R redmine:redmine /opt/redmine/tmp/google-authenticator chmod 0600 /opt/redmine/tmp/google-authenticator/username 

Installing the free Google Authenticator app

The Google Authenticator mobile app is available for iPhone, Android and BlackBerry.



More information about the installation can be found on the Google Help page .



During key generation, google-authenticator displays a link like https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/username@example.net%3Fsecret%3DDOYZKVDCN7GUGJH3 - go to it in the browser and scan the displayed QR code from the Google Authenticator mobile application.

Configuring Redmine

In the profile of the user Redmine specify the authentication mode "Pam"

Done!

Now, when logging in, you just need to specify your username, run Google Authenticator on your mobile phone and rewrite the numbers in the password field.



In one of the following articles I will write about Wiki encryption - this will help to avoid data leaks from the Wiki in case the server hosting Redmine is still hacked and loaded the database. Who cares, welcome to our Habra blog .