Question: why does google authenticator ask for totp for user which does not exist on system

[raviteja-b]

pam google-authenticator was looking for totp for the user which does not existing on system and this user does not have secret key setup also.

Usually LDAP Users do not exists on the system, google authenticator should ignore users which does not exist on the system so using google authenticator breaking LDAP users.

pam_google_authenticator: user("prashanth") not found
pam_google_authenticator: No secret configured for user prashanth, asking for code anyway.
pam_google_authenticator: Did not receive verification code from user
pam_google_authenticator: Did not receive verification code from user

how to disable this behavior in pam_google_authenticator

[ThomasHabets]

The user doesn't exist and doesn't have a secret key set up, eh?

Maybe a job for pam_succeed_if?

auth [default=1 success=ignore] pam_succeed_if.so quiet uid > 0
auth pam_google_authenticator.so …

(note: this exact config probably skips TOTP for root)

You could try that?

[raviteja-b]

The user doesn't exist and doesn't have a secret key set up, eh?

Maybe a job for pam_succeed_if?

auth [default=1 success=ignore] pam_succeed_if.so quiet uid > 0
auth pam_google_authenticator.so …

(note: this exact config probably skips TOTP for root)

You could try that?

with above check, it won't look for totp for all system users which has UID > 0 systems user will have did like 1000, 1001

[ThomasHabets]

Alright, so swap to default=ignore success=1?

[ThomasHabets]

Actually, wasn't it right the first time? If UID>0, go to next line?

[raviteja-b]

Actually, wasn't it right the first time? If UID>0, go to next line?

yeah looks like this is right. let me quickly try

[raviteja-b]

Actually, wasn't it right the first time? If UID>0, go to next line?

yeah looks like this is right. let me quickly try

this config causing issues for ldap auth for ldap users. @ThomasHabets there is no control flag to tell google authenticator to skip auth for non-existing users?

[ThomasHabets]

What kind of config issues? It should allow you to skip GA for these users.

[raviteja-b]

What kind of config issues? It should allow you to skip GA for these users.

yes its skipping google-authenticator for ldap user and authentication is not directed to ldap module as well

[ThomasHabets]

That shouldn't be the case. default=1 should mean "skip the next one". But if it's not working then that's a PAM question. Check your logs on why it's not skipping as you expect. I'm not a PAM expert.

[raviteja-b]

That shouldn't be the case. default=1 should mean "skip the next one". But if it's not working then that's a PAM question. Check your logs on why it's not skipping as you expect. I'm not a PAM expert.

by the way this check does not work for me since I don't want to skip root user as well @ThomasHabets Can you please suggest if there any other alternative approach

I think google-authenticator should stop looking for totp when there is no secret key, its does not make sense Google authenticator should skip authentication for users which does not have secret key setup

[ThomasHabets]

The reason GA asks for a TOTP even for nonexisting users is partly to fight user enumeration.

But you could also try the nullok option, per the README. But that's not quite the same thing, as it would allow users to log in without TOTP, too.

To fix the root user issue, you could add that it skips the skipping:

auth [success=1 default=ignore] pam_succeed_if.so user = root
auth [default=1 success=ignore] pam_succeed_if.so quiet uid > 0
auth pam_google_authenticator.so …

(untested)

[raviteja-b]

The reason GA asks for a TOTP even for nonexisting users is partly to fight user enumeration.

But you could also try the nullok option, per the README. But that's not quite the same thing, as it would allow users to log in without TOTP, too.

To fix the root user issue, you could add that it skips the skipping:

auth [success=1 default=ignore] pam_succeed_if.so user = root
auth [default=1 success=ignore] pam_succeed_if.so quiet uid > 0
auth pam_google_authenticator.so …

(untested)

I did not get it, what do you mean by user enumeration.??

[ThomasHabets]

If SSH gives a different response for existing and nonexisting users, then an attacker can guess usernames, and see which ones are real.

[raviteja-b]

The reason GA asks for a TOTP even for nonexisting users is partly to fight user enumeration.

But you could also try the nullok option, per the README. But that's not quite the same thing, as it would allow users to log in without TOTP, too.

To fix the root user issue, you could add that it skips the skipping:

auth [success=1 default=ignore] pam_succeed_if.so user = root
auth [default=1 success=ignore] pam_succeed_if.so quiet uid > 0
auth pam_google_authenticator.so …

(untested)

can we keep "auth pam_google_authenticator.so …" at the last of pam configuration? so that first ldap or unix user authentication happens then it looks totp authentication

[ThomasHabets]

Well, in my example I did.

You should be able to configure whatever your want. It's just a matter of configuring PAM for it.