[Help] sudo failed just after install google-authenticator-libpam and modify /etc/pam.d/sshd

[iapyeh]

I read from someone's article, roughly speaking, there are 4 steps for installation:

1. sudo apt-get install libpam-google-authenticator
2. sudo vim /etc/pam.d/sshd to add: auth required pam_google_authenticator.so
3. sudo vim /etc/ssh/sshd_config # no -> yes ChallengeResponseAuthentication yes
4. sudo /etc/init.d/ssh restart

I have completed step1 and 2. Then, I can not move to step3. Because I am not able to "sudo" any more. All sudoers on system are all failed to sudo. I am sure all passwords are correct. I have no idea where it goes wrong.

I am appreciating your kindly suggestions.

[ThomasHabets]

If step 2 affected your ability to sudo, then either you didn't edit /etc/pam.d/sshd (maybe common-auth?), or something is seriously wrong with your PAM config unrelated to this PAM module.

Too late now, but for the future: While editing PAM configs, always keep a root shell open as a fallback.

If you have the root password maybe you can run su. If not, then regaining root is more of a Linux support question than about this PAM module.

[iapyeh]

I am lucky, that I solved this problem by:

1. a user A can login with ssh-key.
2. A login and runs the google-authenticator binary, then scans the QRcode with the Google Authenticator app to add new item to app.
3. A calls "sudo ls" and gives the verification code. Like a charm, it works.
4. A runs vi /etc/pam.d/sshd, adding "nullok" to let it be "auth required pam_google_authenticator.so nullok".

Well, what I learned is that, on my server (OS:Debian GNU/Linux 10 (buster)). This command: "sudo apt-get install libpam-google-authenticator" simply enables this feature in one step.

[ThomasHabets]

Uh, that doesn't sound right. I run Debian and I've never encountered this. Can you grep /etc/pam.d/* for google?