Closed davama closed 5 years ago
No, there's no way of doing just that. Even if there were the user could just upload their own google-authenticator
binary or even their own custom .google_authenticator
file, or they can edit the file after running your restricted version.
Someone who's smart enough to run your google-authenticator-backend
(or whatever you rename it to) is probably smart enough to do one of those options.
If you want to restrict options then you're going to have to have a custom provisioning binary set user ID to some dedicated user, so that the user's GA config file is not editable by the them, and then use the user=
option with the PAM module. And you'll probably want to pick a path not in the user's homedir, so they can't change it in any way.
Closing the bug, but happy to reopen if you have more questions/suggestions.
No, there's no way of doing just that. Even if there were the user could just upload their own google-authenticator binary or even their own custom .google_authenticator file, or they can edit the file after running your restricted version.
Agreed, which is why i was thinking of changing the directory (which you mentioned)
If you want to restrict options then you're going to have to have a custom provisioning binary set user ID to some dedicated user, so that the user's GA config file is not editable by the them, and then use the user= option with the PAM module. And you'll probably want to pick a path not in the user's homedir, so they can't change it in any way.
Looking at https://github.com/google/google-authenticator-libpam#encrypted-home-directories
it mentions about the user=
option. If i understand, google pam will switch to the owner of the lock-dir
to read the GA config file for respective user. Correct?
if above correct then I would configure GA like:
system-user = google-dummy(999)
pam module would read:
auth required pam_google_authenticator.so secret=/var/google_auth-GAs/${USER}/.google_authenticator user=999
where /var/google_auth-GAs
is owned by user 999 with perss.
yes?
that being the case, it would not matter if a "smart" user runs google-authenticator
since they cannot access the /var/google_auth-GAs
directory. So then the admin would be in charge of issuing new GA secrets.
Thank you! Dave
I'd use user=google-dummy
, not by UID, but otherwise yes.
Well, I'd also go with a file path like secret=/var/google_auth-GAs/${USER}.conf
. No need for a hidden file nor per-user directory.
@ThomasHabets Thank you for the pointers. Much appreciated
Best Regards, Dave
Thank you - this helped me as well.
Hello,
Hopefully this is not a duplicate question...
Looking at https://github.com/google/google-authenticator-libpam/blob/master/man/google-authenticator.1.md
Is there a way to run
google-authenticator
with default settings? Like having some /etc/google-auth.conf file with defaults?Basically avoid users from creating secrets with custom options.
Workaround is creating an alias to
google-authenticator
but of course one could run/usr/bin/google-authenticator
and do whatever they want.Hope this makes sense.
Thank you, Dave