Verification Code prompt appears twice

[hugeps]

• Ubuntu 18.04
• SSH
• Authentication using RSA key succeeds
• Getting "Verification Code" prompt, entered valid code
• Auth Log shows " Accepted google_authenticator for user"
• Getting "Verification Code" prompt again
• Waiting 30 seconds and entering the new code logs user in

Question: WHY is there a second prompt in this case?

[ThomasHabets]

Please provide all the configs you set up. PAM, SSH, and anything else relevant.

[hugeps]

$ egrep -v "^#" /etc/pam.d/sshd | egrep -v "^$"
account    required     pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
@include common-session
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
@include common-password
auth required pam_google_authenticator.so

$ egrep -v "^#" /etc/ssh/sshd_config | egrep -v "^$"
PermitRootLogin no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,password  publickey,keyboard-interactive
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

extract from .goggle_authenticator

" RATE_LIMIT 3 30 blah blah
" WINDOW_SIZE 17
" DISALLOW_REUSE blah blah
" TOTP_AUTH

[hugeps]

ok, probably one of importance as well:

ii libpam-google-authenticator 20170702-1 amd64 Two-step verification

[ThomasHabets]

Curious. Any log messages after the first "Accepted[…]" log message?

Could you try with the code as it is on github?

[hugeps]

I'm going to compile from github code - will revert as soon as its done...

[NirvashPrime]

Any update on this? I'm experiencing the same behavior.

[hfv1606]

I get the same behaviour as well. Is there anyway to solve this?

[ThomasHabets]

In addition to the logging messages I asked for, there's also the output of the ssh client when logging in, including the output when running with -v.

[hfv1606]

In addition to the logging messages I asked for, there's also the output of the ssh client when logging in, including the output when running with -v.

In the meanwhile I did a reïnstall of the server. The problem does not reoccur.

[philayres]

I had this issue with Centos 7 and a Gnome GDM login. My /etc/pam.d/gdm-password file had multiple entries for:

auth required pam_google_authenticator.so nullok

This was due to a bad provisioning script.

Same for /etc/pam.d/sshd and /etc/pam.d/login files.

Fixing that solved my issue.

[ConstiF]

Thanks @philayres . I had the same issue on Ubuntu. I removed the entry from /etc/pam.d/common-auth and just left it in /etc/pam.d/sshd. Note though, now you will not get a prompt for verification code when you run 'sudo'

[NirvashPrime]

While checking what @philayres mentioned, I noticed the following:

• I don't have /etc/pam.d/gdm-password.
• /etc/pam.d/sshd and /etc/pam.d/login don't have duplicated entries.

It's interesting that there could be multiple causes for this behavior.

[bert2002]

@hugeps did it help to rebuild from latest?

[hugeps]

Hi Steffen,

Did not really have a chance to rebuild, instead I've only left the ssh pam configs, removing the auth, this helped in what I was after, i.e. network login protection.

P

[isr4z6er]

Same problem. Finally found a duplicated 'auth required xxxx' config in /etc/pam.d/common-session. Problem solved after deleting. Better to check all common-* files under /etc/pam.d/

[ThomasHabets]

Ok, I'm going to assume every time this happens it's a PAM config issue.