search

google / google-authenticator-libpam

Apache License 2.0
1.75k stars 280 forks source link

MacOS Monterey 12.0.1 Screensaver_la displays passowrd login instead of verification code #206

Open scope2229 opened 2 years ago

scope2229 commented 2 years ago

After installing with home and adding auth required /opt/homebrew/lib/security/pam_google_authenticator.so nullok to /etc/pam.d/screensaver_la causes the login screen to redirect to password input if i enter the code there you get password wrong. If you enter your password it also says password wrong.

If I add to /etc/pam.d/sudo the authenticator works as intended.

ThomasHabets commented 2 years ago

I'm not following. Please be precise in all the steps and configuration. And also add debug option and attach relevant log lines.

scope2229 commented 2 years ago

Fresh MacOS Monterey 12.0.1

install google-authenticator-libpam with brew install google-authenticator-libpam

run google-authenticator register with authy on mobile device

configure pam files to use 2FA 1: /etc/pam.d/sudo with auth required /opt/homebrew/lib/security/pam_google_authenticator.so nullok at the end of the file. (outcome) run sudo nano /etc/pam.d/sudo in new terminal instance. enter password. after 2FA requests code. inputting code from mobile device returns success and opens the file.

2: /etc/pam.d/login with auth required /opt/homebrew/lib/security/pam_google_authenticator.so nullok at the end of the file. (outcome) reboot or logout from user. login with password. Here i expect a request for a 2FA code with successful password entry. actual outcome is screen goes blank refreshes and a login with password request form. entering the 2FA code instead of the password results in failure wrong password. Entering correct password results in wrong password. Reboot into recovery edit login pam file to restore login functionality.

3: /etc/pam.d/screensaver with auth required /opt/homebrew/lib/security/pam_google_authenticator.so nullok at the end of the file. (outcome) same outcome as 2

4: /etc/pam.d/screensaver_la with auth required /opt/homebrew/lib/security/pam_google_authenticator.so nullok at the end of the file. (outcome) same outcome as 2

I'll try adding the debug option once i finish work and upload the logs.

scope2229 commented 2 years ago

Sorry on a mac where are the logs located.

ThomasHabets commented 2 years ago

Don't know. I've not used a mac since the mid 90s.