Open scope2229 opened 2 years ago
I'm not following. Please be precise in all the steps and configuration. And also add debug
option and attach relevant log lines.
Fresh MacOS Monterey 12.0.1
install google-authenticator-libpam with brew install google-authenticator-libpam
run google-authenticator
register with authy on mobile device
configure pam files to use 2FA
1: /etc/pam.d/sudo
with auth required /opt/homebrew/lib/security/pam_google_authenticator.so nullok
at the end of the file.
(outcome) run sudo nano /etc/pam.d/sudo
in new terminal instance. enter password. after 2FA requests code. inputting code from mobile device returns success and opens the file.
2: /etc/pam.d/login
with auth required /opt/homebrew/lib/security/pam_google_authenticator.so nullok
at the end of the file.
(outcome) reboot or logout from user. login with password. Here i expect a request for a 2FA code with successful password entry. actual outcome is screen goes blank refreshes and a login with password request form. entering the 2FA code instead of the password results in failure wrong password. Entering correct password results in wrong password. Reboot into recovery edit login pam file to restore login functionality.
3: /etc/pam.d/screensaver
with auth required /opt/homebrew/lib/security/pam_google_authenticator.so nullok
at the end of the file.
(outcome) same outcome as 2
4: /etc/pam.d/screensaver_la
with auth required /opt/homebrew/lib/security/pam_google_authenticator.so nullok
at the end of the file.
(outcome) same outcome as 2
I'll try adding the debug option once i finish work and upload the logs.
Sorry on a mac where are the logs located.
Don't know. I've not used a mac since the mid 90s.
After installing with home and adding
auth required /opt/homebrew/lib/security/pam_google_authenticator.so nullok
to /etc/pam.d/screensaver_la causes the login screen to redirect to password input if i enter the code there you get password wrong. If you enter your password it also says password wrong.If I add to /etc/pam.d/sudo the authenticator works as intended.