Closed Vasar007 closed 3 years ago
ThomasHabets
commented
3 years ago This sounds like a PAM best practices question. I don't know. Check with PAM people, and if they say this project should support something, then we can look into adding that.
Vasar007
commented
3 years ago @ThomasHabets, can Google authenticator PAM module ask for repeated entry of the verification code? Can it invoke the conversation function multiple times?
As I know, the default behavior returns an error on the first invalid verification code. Are there any configuration options to change this?
ThomasHabets
commented
3 years ago Like I said, I don't know. Both in terms of what's possible and what's considered best practice for PAM. Maybe the standard way to do this is to list the module multiple times in your PAM config, and have success skip remaining ones.
Vasar007
commented
3 years ago @ThomasHabets, I asked about Google authenticator PAM module again because of this comment in the linux pam repo. In short, interaction with conversation function fully depends on the PAM module.
It sounds like Google authenticator PAM module can ask (in theory) for repeated entry of the verification code. But now (in the current version) are there any configuration options to enable this behavior? I cannot find any configuration options for this in the README (except the trick with PAM config you mentioned). Does that mean that module can only once ask for the verification code?
Hello!
I successfully use awesome
google-authenticator-libpamlibrary in my project. However, there is one case which I do not know how to solve in a proper way.For example:
So, how to correctly handle invalid verification code from a user? Should I initiate another PAM transaction? Or is there some way to pass new verification code to the current conversation function? Can the conversation function run in a loop and accept new verification codes until the maximum number of retries is reached, for example?