Closed antitree closed 5 years ago
Hmm, that's not right. The tool even asks you:
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
Did you say n
to that?
I'm unable to reproduce your problem. Could you provide way more details, such as how you generated the config, and what your PAM config looks like?
You are using time-based tokens, right? Do you have DISALLOW_REUSE
in your ~/.google_authenticator
?
Thanks for the follow up. I just went through my installation again (using ansible) with the same results (reuse accepted even after selecting not to). But trying manually on a Debian and Centos install it works as expected. Looks like something on my end. Sorry for the false positive.
On Fri, Apr 19, 2019, 11:46 AM Thomas Habets notifications@github.com wrote:
You are using time-based tokens, right? Do you have DISALLOW_REUSE in your ~/.google_authenticator?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/google/google-authenticator-libpam/issues/130#issuecomment-484937088, or mute the thread https://github.com/notifications/unsubscribe-auth/AAIRHR7QJ4GDGKNWYZZEJRLPRHSNVANCNFSM4HHEU23Q .
The google authenticator PAM module allows OTP code reuse.
Example:
https://tools.ietf.org/html/rfc6238
Tested on Ubuntu with
sshd
pam configuration set to use google-authenticator-libpam