Closed bramuno closed 1 month ago
akerl
commented
1 month ago If you're not seeing any logs for PAM activity, either you're looking in the wrong log file or the auth flow isn't hitting PAM.
Are you being prompted for a TOTP code? If so, add the debug flag and go find where the logs are going.
bramuno
commented
1 month ago thanks, what i mean is the initial registration is not producing any logs during the registration process. if i actually try to authenticate using the code, it rejects it same as it did during registration (see below). the screen shot here shows it's trying to validate but rejects the code.
auth.log:
2024-08-05T09:33:01.609822-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: start of google_authenticator for "test" 2024-08-05T09:33:01.610721-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: Secret file permissions are 0400. Allowed permissions are 0600 2024-08-05T09:33:01.610839-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: "/home/test/.google_authenticator" read 2024-08-05T09:33:01.610871-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: shared secret in "/home/test/.google_authenticator" processed 2024-08-05T09:33:01.610905-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: google_authenticator for host "(null)" 2024-08-05T09:33:08.008604-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: no scratch code used from "/home/test/.google_authenticator" 2024-08-05T09:33:08.015025-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: time skew adjusted 2024-08-05T09:33:08.015138-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: Invalid verification code for test 2024-08-05T09:33:08.018093-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: "/home/test/.google_authenticator" written 2024-08-05T09:33:08.018158-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: end of google_authenticator for "test". Result: Authentication failure
syslog:
2024-08-05T09:33:08.008604-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: no scratch code used from "/home/test/.google_authenticator" 2024-08-05T09:33:08.015025-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: time skew adjusted 2024-08-05T09:33:08.015138-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: Invalid verification code for test 2024-08-05T09:33:08.018093-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: "/home/test/.google_authenticator" written 2024-08-05T09:33:08.018158-07:00 ubuntu24 gdm-password(pam_google_authenticator)[2994]: debug: end of google_authenticator for "test". Result: Authentication failure
akerl
commented
1 month ago Registration doesn't actually interact with PAM at all; it's just a CLI to manage creation of the .google_authenticator file.
If the validation is failing there, something is wrong with your server clock or your phone clock, or you're entering the wrong code.
bramuno
commented
1 month ago ugh, you are correct the date was off, thanks
Hello, I have installed two new VMs, a ubuntu 22.04 and ubuntu 24.04 and ran the same google-authenticator command on each server. i am using the same phone app to register the QR code.
i registered the ubuntu 22 server's QR code successfully and validated on the first try. But after registering the 24.04 server, it refuses to validate the code my phone is providing after scanning the QR.
I have verified the time is correct as it matches both NTP and the ubuntu 22 server have the same time.
'sestatus' says selinux is disabled.
when running the google-authenticator command, there is no activity in the /var/log/syslog or auth.log file even if i use the -1 option to skip verification. I also tried enabling debug mode, but it didn't provide anything.
i have tried it several times and always the same result.
config file adjusted is /etc/pam.d/common-auth
Environment