ThomasHabets
commented
3 years ago Could you provide more info about your configuration, such as the exact line you use in PAM config.
Closed roeme closed 3 years ago
ThomasHabets
commented
3 years ago Could you provide more info about your configuration, such as the exact line you use in PAM config.
roeme
commented
3 years ago Sure, including all preceding lines:
auth [success=1 default=ignore] pam_exec.so /usr/sbin/mypamcheck.sh
auth [success=ok default=ignore] pam_unix.so nullok_secure
auth required pam_google_authenticator.so debug grace_period=28800mypamcheck verifies wether sshd has sucessfully authenticated the user by public key and if so, lets pam skip password authentication and go to google-authenticator.
ThomasHabets
commented
3 years ago Sorry for the delay on this. As always everyone is super busy. :-)
I think I know what the probleh is. Could you add updated = 1; betwen lines 2093 and 2094 in src/pam_google_authenticator.c, recompile, and try again?
roeme
commented
3 years ago Sorry for the delay on this. As always everyone is super busy. :-)
No, worries, I'm getting free support after all, and it's not critical for me.
I think I know what the probleh is. Could you add
updated = 1;betwen lines 2093 and 2094 insrc/pam_google_authenticator.c, recompile, and try again?
This did the trick! The file gets updated, and I don't get a verification prompt anymore. Upon manually (for testing) backdating the timestamp outside the grace_period window, I get prompted anew, as expected, and the file is refreshed.
Thanks a bunch for your help! Not sure if you'd like a PR for such a small change?
ThomasHabets
commented
3 years ago Thanks for confirming all of the pass/fail scenarios!
I'm not sure wether I'm doing something wrong, but according to the sources and documentation my setup should work. Except, it only does so partially: A (manually added)
LAST%d <IP> <time_t>-Line to my secret file is read and honoured correctly.If the timestamp is outside the grace_period, the user is prompted for a TOTP code as expected. However, upon sucessfully entering the code, aforementioned line is not updated, and hence prompts appear at every subsequent login attempt.
Testing done under mainly done raspbian (armv7) and a bit on debian (x86). Not sure if the arch has any bearing, and a quick glance at the debian sources leads me to believe that there is no further patching done by these distributions.
Debug output for a successful attempt:
An attempt which should update the grace_period:
I can't find any obvious logic errors in the code, but tbh, C really ain't my language.
Thanks in advance for any help!