Grace period issue: doest not work after to first grace period is done

[yuval-almog]

I have set up google-authenticator-libpam with the following configuration: auth required pam_google_authenticator.so grace_period=86400

First time I connect I see a line with the IP and a timestamp added to .google_authenticator like so: LAST0 ip-X-X-X-X 1554990261

In this situation everything works as I expected, the second time I login no verification code is required.

After the grace period is done, in this example after 1 day, there is a new line like so: " LAST1 ip-X-X-X-X 1555227455 (with the same IP of course) what I excepted was that after the new login with a correct timestamp I would be able to login again with no mfa for the next 24 hours, however the result is that every new login there is a new line with the same IP and a new timestamp and I keep getting asked to put the verification code.

when I clear the .google_authenticator again, removing all lines of IPs I get another day that the grace period is working. I could have a cronjob clearing the ip lines everyday but I find it really ugly. Is this the expected behavior of grace_period or is this a bug ?

Thanks

[ThomasHabets]

Yeah that sounds wrong. Let's see. Indeed within_grace_period doesn't support multiple lines for the same IP.

But it clearly does create a new entry.

[ThomasHabets]

That's strange. When you say "ip-X-X-X-X" what format do you mean?

I see that when it's localhost the host name used is actually "localhost", which didn't work until I fixed it. Could you retain the original format of the lines you see in ~/.google_authenticator, but changing numbers (not into Xs) for your anonymity?

Could you also check /var/log/auth.log or similar to see if you get any error messages there. You should be able to grep for pam_google_authenticator.

[ThomasHabets]

This fixes localhost, at least:

$ git diff
diff --git a/src/pam_google_authenticator.c b/src/pam_google_authenticator.c
index 64c9424..82d09da 100644
--- a/src/pam_google_authenticator.c
+++ b/src/pam_google_authenticator.c
@@ -1560,7 +1560,7 @@ update_logindetails(pam_handle_t *pamh, const Params *params, char **buf) {
     char host[40]; /* Max len of ipv6 address is 8*4 digits plus 7 colons.
                     * Plus trailing NUL is 40 */
     unsigned long when = 0; // Timestamp of current entry.
-    const int scanf_rc = sscanf(line, " %39[0-9a-fA-F:.] %lu ", host, &when);
+    const int scanf_rc = sscanf(line, " %39[0-9a-zA-Z:.-] %lu ", host, &when);
     free(line);

     if (scanf_rc != 2) {

[yuval-almog]

This is the full format of what I see with 172-00-11-22 being my ip.

" LAST1 ip-172-00-11-22.ec2.internal 1555247410 " LAST0 ip-172-00-11-22.ec2.internal 1554973221

I do see the following error: sshd(pam_google_authenticator)[1849]: debug: google_authenticator for host "ip-172-00-11-22.ec2.internal" sshd(pam_google_authenticator)[1849]: Malformed LAST0 line

[ThomasHabets]

Ah. I see. Yes that explains it. Are those addresses in /etc/hosts on your machine? I hope that's not from DNS as that could make attacker be able to choose address. (unless it's looked up both ways before being accepted)

In any case the patch in my previous comment should solve it for you.

[ThomasHabets]

I'll submit the patch when I'm at the right laptop to do so. :-)

[yuval-almog]

Actually im not sure why when I login the server takes my IP and turns it into this name. its could be some AWS related settings

anyway it looks like the change that you suggested worked ! Thanks so much for the quick reply !