Frequent issues with MFA - Invalid verification code

[sophallee]

I am frequently getting issues with SSH and Google authenticator. Sometimes I need to enter the verification twice other times it takes ten tries to get it to work. It used to work just once before but now it takes multiple tries.

Chronyd and NTP has been installed on the server, so the time should be sychronised.

Here's the SSH logs

Apr 28 15:20:59 q03pmds sshd[95492]: pam_unix(sshd:auth): unrecognized option [no_warn]
Apr 28 15:21:04 q03pmds sshd(pam_google_authenticator)[95492]: Invalid verification code for cms
Apr 28 15:21:06 q03pmds sshd[95490]: error: PAM: Authentication failure for cms from 113.220.33.220
Apr 28 15:21:06 q03pmds sshd[95490]: Connection closed by 113.220.33.220 port 27358 [preauth]
Apr 28 15:21:09 q03pmds sshd[95523]: warning: /etc/hosts.allow, line 12: can't verify hostname: gethostbyname(113-220-33-220.tpgi.com.au) failed
Apr 28 15:21:10 q03pmds sshd[95523]: reverse mapping checking getaddrinfo for 113-220-33-220.tpgi.com.au [113.220.33.220] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 28 15:21:10 q03pmds sshd[95528]: pam_unix(sshd:auth): unrecognized option [no_warn]
Apr 28 15:21:16 q03pmds sshd(pam_google_authenticator)[95528]: Invalid verification code for cms
Apr 28 15:21:18 q03pmds sshd[95523]: error: PAM: Authentication failure for cms from 113.220.33.220
Apr 28 15:21:18 q03pmds sshd[95523]: Connection closed by 113.220.33.220 port 27364 [preauth]
Apr 28 15:21:22 q03pmds sshd[95595]: warning: /etc/hosts.allow, line 12: can't verify hostname: gethostbyname(113-220-33-220.tpgi.com.au) failed

Here's the entry in /etc/pam.d/sshd

auth    required      pam_unix.so    no_warn try_first_pass
auth    required      pam_google_authenticator.so

Here's snippets of the SSHD config file:

ChallengeResponseAuthentication yes

Match User cms
    AuthenticationMethods keyboard-interactive

[ThomasHabets]

the time should be synchronised

Did you confirm it? ntpdate -q pool.ntp.org?

It really sounds like either your computer or the app(?) you're using has the wrong time set.

What is generating the code on the client side?

[sophallee]

The delay isn't too great: [root@cms slee]# ntpdate -q pool.ntp.org server 139.180.160.82, stratum 2, offset -0.025777, delay 0.04787 server 67.219.100.202, stratum 2, offset -0.026687, delay 0.05949 server 162.159.200.123, stratum 3, offset -0.025012, delay 0.03571 server 103.76.40.123, stratum 3, offset -0.025579, delay 0.04906 1 May 09:54:55 ntpdate[177428]: adjust time server 139.180.160.82 offset -0.025777 sec

Issues is happening with Devolution Remote Desktop Manager, Putty, WinSCP and Linux SSH. It seems to be less problematic with Linux SSH though.

I get different error codes such

• Did not receive verification code from user
• Invalid verification code
• Too many concurrent login attempts. Please try again.

[ThomasHabets]

The time set on the phone may be wrong too. You never said what is generating the code on the client side.

[sophallee]

Problem occurs with MFA code obtained on the Google authenticator app on the phone, Devolution Remote Desktop Manager and application on Desktop.

[sophallee]

Issue is related to the time discrepancy between the laptop and time server. Devolution RDM and desktop application are using the same time, and MFA codes are the same. MFA code obtained from terminal server and phone works with issues.

I'll need to sync my laptop with an NTP server. Thanks for the guidance.

[ThomasHabets]

Heh. Thanks for the followup.

You're not the first to have it be due to time not being set correct: https://twitter.com/thomashabets/status/1133780752582217728