Debugging options after finished setup

[Syndesi]

Hi,

is there a way to manually check the OTP-key-generation after the setup finished? Reason is that I tried to install it under Fedora 34 / Gnome 40 by adding auth required pam_google_authenticator.so to the file /etc/pam.d/gdm-password and I just cannot log in into Gnome any more. Once I change the line to auth sufficient pam_google_authenticator.so Gnome lets me log in, though I can use any string for the OTP-stage as long as the user password is correct.

Regards, Sören Klein

[ThomasHabets]

Any time you change any login stuff, including PAM stuff, you should have a spare root shell as your backup. And try to log in again (and gain root) before logging that root shell out.

I think that's the only proper way to test it. There are so many things that can go wrong with SSH config, login manager config, PAM config, your OTP, your system clock, your phone, etc… There's no way to simulate all that.

[Syndesi]

Thank you for the quick reply. I am not using SSH, it's for the desktop manager only (Gnome 40). I have root shell access to the system and I can correct bad configurations. Password, OTP and system clock are correct. Smartphone (Authy on Android) should not be the problem either - I can use it successfully for my work laptop (similar setup, though using Ubuntu LTS 20.04) and the setup-task "enter code from app (-1 to skip)" is successfull on the Fedora-device. Btw, I found out that the emergency scratch codes do not work either.

Regarding my main question: There is corrently no way to verify a finished setup directly, e.g. with google-authenticator verify? I would just like to rule out problems with this library under Fedora - although all things considered it is more likely a problem with the OS / my configuration.

[ThomasHabets]

The equivalent for local logins is to press Ctrl-Alt-F3 or similar to get a console login, and log that in as root.

When you set up TOTP google-authenticator will ask you for a code before completing. That's the closest thing to confirming the Google Authenticator part of it.

The verification flow you ask for would only be useful as a second step, to check a very tiny problem space. There would be no point to doing it unless a full login was first tried and failed.

None of the components are likely to be broken. Authy is great, android is great (sometimes Samsung screws this up with timezones and time corrections), PAM is great, Linux is great, SSH is great, etc… The problem is likely to be with the configuration, and/or the interface between the components.

This PAM module works. It's not like it doesn't. So if the module says no, that means it's not being passed the right input. A test where it is passed the right input seems kinda pointless.

I think you're thinking of a way to troubleshoot a failure with configs that's not actually the best way to do it. The best way is probably to turn on debugging on the module, and check the logs.