Closed GGEZLOLLLLLLLLLLLLLLLLXD closed 4 years ago
ThomasHabets
commented
4 years ago You need to check logs to get more information about what could be wrong. And also in order for anyone to help you need to provide your /etc/ssh/sshd_config and ideally the full /etc/pam.d/sshd file.
GGEZLOLLLLLLLLLLLLLLLLXD
commented
4 years ago The logs state that grace_period=300 is an unrecognized argument. Removing this argument from the /etc/pam.d/sshd file makes ssh logins successful, however I still want to include a grace period argument.
The /etc/pam.d/sshd is the default file, with the line auth required pam_google_authenticator.so nullok echo_verification_code grace_period=300 appended to it.
/etc/ssh/sshd_config: (I've deleted all comments)
ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-serverOne more offtopic question: Is there a way to change the length of backup codes (or make them alphanumeric)?
ThomasHabets
commented
4 years ago grace_period is a fairly new feature. Where does your pam_google_authenticator.so come from? Maybe you have two on your system and you're using an older one by mistake?
GGEZLOLLLLLLLLLLLLLLLLXD
commented
4 years ago I installed it yesterday morning through sudo apt update and sudo apt install libpam_google_authenticator.
ThomasHabets
commented
4 years ago Yeah that may not be new enough. I don't know. What version is that? Has to be at least 1.06.
GGEZLOLLLLLLLLLLLLLLLLXD
commented
4 years ago Not quite sure, sudo apt-cache policy libpam-google-authenticator returns this:
libpam-google-authenticator:
Installed: 20170702-2
Candidate: 20170702-2
Version table:
*** 20170702-2 500
500 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
100 /var/lib/dpkg/statusYeah 1.06 is from 2019, so if that "2017" is accurate then you need a newer version.
abhilesh
commented
2 years ago I am in a similar situation and hoping someone can provide some clues about fixing this.
I am running 64-bit Raspberry Pi OS on a Raspberry Pi 4 running headless. Here are the steps I followed to add 2FA to my account
sudo apt install libpam-google-authenticator
google-authenticator
sudo cp /etc/pam.d/sshd !#$.dist
sudo nano /etc/pam.d/sshdThis is the edit I made in the /etc/pam.d/sshd (in order to be asked the verification code before the password)
auth required pam_google_authenticator.so
@include common-authAdded the authenticator account to Authy.
Now, we I try to ssh back into the pi from a local computer, I get stuck at the Permission denied, please try again loop.
ssh pi@192.168.1X.X gives the following output where it gets stuck
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
pi@192.168.1.2's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
pi@192.168.1.2's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
pi@192.168.1.2's password:I've tried using my old password, the default password, authy authentication code, scratch code and this stage but they all lead to the error.
I also don't know why it doesn't ask me about the verification code before the password as I have it configured in the /etc/pam.d/sshd file.
What steps should I try to fix the permission denied errors?
ThomasHabets
commented
2 years ago Different issue as you don't use grace period.
I'm locking this issue. File new with the extra info I asked for in my first comment on this issue. And see what extra info you see with debug option added.
Whenever I attempt to login to any user, this happens:
The
/etc/pam.d/sshdconfig has the arguments:nullok echo_verification_code grace_period=300I'm basically locked out of all the accounts (some of which don't have 2fa activated) and have to manually get on to fix this. Is it intended behavior or a bug?