google-authenticator default settings file

[davama]

Hello,

Hopefully this is not a duplicate question...

Looking at https://github.com/google/google-authenticator-libpam/blob/master/man/google-authenticator.1.md

Is there a way to run google-authenticator with default settings? Like having some /etc/google-auth.conf file with defaults?

Basically avoid users from creating secrets with custom options.

Workaround is creating an alias to google-authenticator but of course one could run /usr/bin/google-authenticator and do whatever they want.

Hope this makes sense.

Thank you, Dave

[ThomasHabets]

No, there's no way of doing just that. Even if there were the user could just upload their own google-authenticator binary or even their own custom .google_authenticator file, or they can edit the file after running your restricted version.

Someone who's smart enough to run your google-authenticator-backend (or whatever you rename it to) is probably smart enough to do one of those options.

If you want to restrict options then you're going to have to have a custom provisioning binary set user ID to some dedicated user, so that the user's GA config file is not editable by the them, and then use the user= option with the PAM module. And you'll probably want to pick a path not in the user's homedir, so they can't change it in any way.

Closing the bug, but happy to reopen if you have more questions/suggestions.

[davama]

No, there's no way of doing just that. Even if there were the user could just upload their own google-authenticator binary or even their own custom .google_authenticator file, or they can edit the file after running your restricted version.

Agreed, which is why i was thinking of changing the directory (which you mentioned)

If you want to restrict options then you're going to have to have a custom provisioning binary set user ID to some dedicated user, so that the user's GA config file is not editable by the them, and then use the user= option with the PAM module. And you'll probably want to pick a path not in the user's homedir, so they can't change it in any way.

Looking at https://github.com/google/google-authenticator-libpam#encrypted-home-directories it mentions about the user= option. If i understand, google pam will switch to the owner of the lock-dir to read the GA config file for respective user. Correct?

if above correct then I would configure GA like:

system-user = google-dummy(999) pam module would read: auth required pam_google_authenticator.so secret=/var/google_auth-GAs/${USER}/.google_authenticator user=999

where /var/google_auth-GAs is owned by user 999 with perss.

yes?

that being the case, it would not matter if a "smart" user runs google-authenticator since they cannot access the /var/google_auth-GAs directory. So then the admin would be in charge of issuing new GA secrets.

Thank you! Dave

[ThomasHabets]

I'd use user=google-dummy, not by UID, but otherwise yes.

Well, I'd also go with a file path like secret=/var/google_auth-GAs/${USER}.conf. No need for a hidden file nor per-user directory.

[davama]

@ThomasHabets Thank you for the pointers. Much appreciated

Best Regards, Dave

[tacerus]

Thank you - this helped me as well.