Google Authenticator only works with emergency codes

[sbkg0002]

Hi,

First off all: thanks for the great image! I use Google Authenticator (on Android) successfully on other accounts, but I cannot use it with your image. Docker logs just say:

PAM: Authentication failure for root from 172.17.0.1
Connection closed by 172.17.0.1 port 54450 [preauth]

I can use the emergency codes that are generated.

Any suggestions? Thanks.

[osterman]

@sbkg0002 thanks for submitting this issue!

This error sounds so familiar... I seem to recall encountering it during development, but don't remember what the issue was since that was some time ago. If you're running it in Docker for Mac, I suggest ensuring the VM's clock is in sync (which tends to drift on laptops). That could affect TOTP tokens. https://github.com/docker/for-mac/issues/1260#issuecomment-279050735

Also, if you can share the specific command line args/envs your passing to start the container, I will try to reproduce it on my end.

[sbkg0002]

Thanks @osterman. The funny thing is, that the Docker update from today/this week to Version 17.06.0-ce-mac18 (18433) seems to have fixed it!

For reference to others, I use this simple compose file.

bastion:
  restart: unless-stopped
  container_name: bastion
  image: cloudposse/bastion
  volumes:
    - bastion:/root/.ssh/
  environment:
    - MFA_PROVIDER=google-authenticator
  ports:
    - "2411:22/tcp"

[osterman]

Wonderful! Thanks for posting your compose file.

Btw, the upgrade of docker fixing it bodes well for the theory that the system clock was behind inside the linux VM.