google-authentication-libpam is not working with xrdp on Ubuntu 18

[Sas002]

google-authentication-libpam is not working with xrdp on Ubuntu 18. Is there any documentation of configuring google-authentication on Ubuntu18 with xrdp . I followed the standard steps but google-auth is not prompting for code

[ThomasHabets]

I followed the standard steps

There are no standard steps. Please specify exactly what you tried.

[Sas002]

I tried steps frm https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04 . It seems login using ssh is working with google-auth but not xrdp login is not at all asking for google-auth code . It is just accepting username and password and never ask for code

[Sas002]

I followed https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04 step 1 , step2 and step3

[ThomasHabets]

It's seems likely that the xrdp protocol doesn't support a secondary password prompt. I'd recommend you configure the PAM module to take the OTP from the password. See this section of the README for more information.

[Sas002]

pam file /etc/pam.d/sshd looks below Please find the attached file PAM.txt

Here ssh is working fine with just google-authenticator code . No password is required. For xrdp session still I am not able to login

[ThomasHabets]

To paste data without formatting, use tripple-backticks (`) to start and end. Click "Preview" to see how well it went.

OK, so you have only the GA OTP PAM module. Then you don't need forward_pass.

Next step is checking the logs. Probably /var/log/auth.log. Maybe adding debug option to GA to get more debugging output.

[Sas002]

It seems I am only able to use GA OTP on ssh session . XRDP is just working on username and password . Even if I use forward_pass or not . I am using xrdp with xrdp-sesman session

[Sas002]

It seems for adding GA with xrdp , I need to add below config but after adding below config xrdp login session stop working . I am not able to select any option for xrdp login . Is there any specific configuration I need to add for xrdp for making GA OTP ?

login, edit /etc/pam.d/common-auth:

sudo vim /etc/pam.d/common-auth and now add this auth required pam_google_authenticator.so above the line auth [success=1 default=ignore] pam_unix.so nullok_secure then save the file.

[Sas002]

Finally I made it working just with OTP ( no password ) . It is working fine with ssh as well as xrdp session. I just need to provide username and code from google-authenticator mobile app and xrdp session login just works. Could not manage to config both password and OTP for xrdp . with ssh it is working fine .

xrdp to work with one time code from GA cat /etc/pam.d/xrdp-sesman

%PAM-1.0

@include common-auth

@include common-account

@include common-session

@include common-password

auth required pam_google_authenticator.so ---------> This is the only config added and rest all should be disabled

[ThomasHabets]

I would expect this to work:

auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

And then enter "password012345" as password (hmm, or is it "012345password"?) where 012345 is the OTP.

[Sas002]

I will test and confirm .

[Sas002]

It is working perfect for xrdp session using sesman. Just I do not get two screens for password and OTP but that is something missing from xrdp not from GA. Thanks a lot .

[brijeshjaiswal]

Can you please confirm step by step process for xrdp configuration with Google authenticator.

[brijeshjaiswal]

I would expect this to work:

auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

And then enter "password012345" as password (hmm, or is it "012345password"?) where 012345 is the OTP.

This worked awesome. But I was thinking to have a separate field in first login screen for OTP/Token. So that in first field we will enter username, in second field password and last filed will contain token in mask or visible. Request you to please check and help me. Appreciate if OTP will be in masked format.

[brijeshjaiswal]

I would expect this to work:

auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

And then enter "password012345" as password (hmm, or is it "012345password"?) where 012345 is the OTP.

This worked awesome. But I was thinking to have a separate field in first login screen for OTP/Token. So that in first field we will enter username, in second field password and last filed will contain token in mask or visible. Request you to please check and help me. Appreciate if OTP will be in masked format.

• Note - Right now i have only created field by making an entry in xrdp.ini only. Right now i dont have knowledge to how to map the OTP filed with the program.

[ThomasHabets]

Try playing around with authtok_prompt=otp or similar. I think the "extra password" that the OTP is is an extra key/value, that is keyed off of that.

I'm not sure though.

Try it, and report back if it works.

[brijeshjaiswal]

Try playing around with authtok_prompt=otp or similar. I think the "extra password" that the OTP is is an extra key/value, that is keyed off of that.

I'm not sure though.

Try it, and report back if it works.

But where i have make "authtok_prompt=otp" this entry. Basically on which file.

[ThomasHabets]

That's a parameter to pam_google_authenticator.so, so where you now have forward_pass replace with this.

[brijeshjaiswal]

I tried but it didn't work. The reason is simple that I have just created field called OTP but not aware from where it's going to call the function. Like username or password it usually calls the function and then it does validation.

[brijeshjaiswal]

Requesting you please help me with that part.

[ThomasHabets]

I don't understand the question.

[brijeshjaiswal]

1. Plz check the login screen. It has three field a.username, b.Password and c. OTP. Now the field username and password is calling some functions programmatically so when we are tying username and password it validates.Right.. So as I have installed XRDP and enabled Google authenticator so it works fine if I use your recommendation of entrying below entry in xrdp-sessman and entrying userid and password+OTP.

auth required pam_google_authenticator.so forward_pass auth required pam_unix.so use_first_pass

Now I have created the field called OTP where I want to enter the OTP rather that entering the same with password+otp.

Please help me Out..

[ThomasHabets]

I have just created field called OTP

What's a "field"? In what?

not aware from where it's going to call the function

What function?

Like username or password it usually calls the function and then it does validation.

That's… not a description that fits well with how PAM works, if that's what you're referring to.

But really it sounds like you're asking how xrdp is supposed to work. I have no idea. I know fairly well how PAM works though.

Maybe something from this issue could help you, but really I'm just guessing what your question is.

[investlab]

auth required pam_google_authenticator.so forward_pass auth required pam_unix.so use_first_pass

I added to /etc/pam.d/xrdp-sesman, but not work :(

[ThomasHabets]

Logs are needed to debug.

[investlab]

Dear @ThomasHabets This worked awesome.

This is my config: /etc/pam.d/xrdp-sesman

Thank you so much!

[Alvaro1316]

Logs are needed to debug.

Hello Dear @ThomasHabets Can you help me? I install Ubuntu 20.04 and I already make the changes in /etc/pam.d/xrdp-sesman Also I make changes in the xrdp.ini to show the opt code. But still no working

[ThomasHabets]

Sorry, I've not set up xrdp, and standard log and complete config rules apply.