Hi Steffen,
have build google-authenticator-1.02 now. A first try looks like this:
$ /usr/bin/google-authenticator -h
google-authenticator [<options>]
-h, --help Print this message
-c, --counter-based Set up counter-based (HOTP) verification
-t, --time-based Set up time-based (TOTP) verification
-d, --disallow-reuse Disallow reuse of previously used TOTP tokens
-D, --allow-reuse Allow reuse of previously used TOTP tokens
-f, --force Write file without first confirming with user
-l, --label=<label> Override the default label in "otpauth://" URL
-i, --issuer=<issuer> Override the default issuer in "otpauth://" URL
-q, --quiet Quiet mode
-Q, --qr-mode={NONE,ANSI,UTF8}
-r, --rate-limit=N Limit logins to N per every M seconds
-R, --rate-time=M Limit logins to N per every M seconds
-u, --no-rate-limit Disable rate-limiting
-s, --secret=<file> Specify a non-standard file location
-S, --step-size=S Set interval between token refreshes
-w, --window-size=W Set window of concurrently valid codes
-W, --minimal-window Disable window of concurrently valid codes
$ /usr/bin/google-authenticator
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@ipfire-server.local%3Fsecret%3D2IQEPLVMILXAEWJY6QOKIMYFZU%26issuer%3Dipfire-server.local
Your new secret key is: 2IQEPLVMILXAEWJY6QOKIMYFZU
Your verification code is 671951
Your emergency scratch codes are:
21370559
80397018
84643833
31637358
36135594
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of
17 acceptable tokens).
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
$ cat /root/.google_authenticator
2IQEPLVMILXAEWJY6QOKIMYFZU
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
21370559
80397018
84643833
31637358
36135594
which seems to be functional. If you want to give it a try, you can find the IPFire package in here --> https://people.ipfire.org/~ummeegge/google-authenticator/ .
Since i am currently no in this topic you may have some more infos on how to find a good setup for this.
EDIT: Have seen that libqrencode3 is also needed. Will build it but this take a little time.
Best,
Erik