Closed Daniel1015 closed 7 years ago
akerl
commented
7 years ago It says the issue right in the logs:
May 15 16:25:35 sshd(pam_google_authenticator)[10219]: Failed to update secret file "/home/sclin/.google_authenticator"May 15 16:25:40 sshd(pam_google_authenticator)[10227]: Secret file permissions are 0400. Allowed permissions are 0600
Daniel1015
commented
7 years ago I try to modify the file permissions as follow, but still can't login Any suggestions? thanks!
-rw-------. 1 sclin sclin 118 May 15 15:29 /home/sclin/.google_authenticator
new log in /var/log/secure May 16 09:07:00 sshd(pam_google_authenticator)[21246]: debug: start of google_authenticator for "sclin" May 16 09:07:00 sshd(pam_google_authenticator)[21246]: Secret file permissions are 0600. Allowed permissions are 0600 May 16 09:07:00 sshd(pam_google_authenticator)[21246]: debug: "/home/sclin/.google_authenticator" read May 16 09:07:00 sshd(pam_google_authenticator)[21246]: debug: shared secret in "/home/sclin/.google_authenticator" processed May 16 09:07:07 sshd(pam_google_authenticator)[21246]: debug: no scratch code used from "/home/sclin/.google_authenticator" May 16 09:07:07 sshd(pam_google_authenticator)[21246]: Accepted google_authenticator for sclin May 16 09:07:07 sshd(pam_google_authenticator)[21246]: Failed to update secret file "/home/sclin/.google_authenticator"
akerl
commented
7 years ago Is your disk out of space? SELinux perms? disk mounted read-only?
Daniel1015
commented
7 years ago The space of disk is enough, max usage is under 10%
Filesystem Size Used Avail Use% Mounted on 50G 2.4G 45G 5% / 1.9G 0 1.9G 0% /dev/shm 477M 28M 425M 7% /boot 351G 508M 332G 1% /home
Any suggestions that I check? thanks!
ThomasHabets
commented
7 years ago As luck would have it I've recently improved the error messages for failing to update the secrets file. Could you try again with the current HEAD?
git clone https://github.com/google/google-authenticator-libpam
cd google-authenticator-libpam
./bootstrap.sh
./configure
make
sudo make installAnd make sure your pam.d config references the .so now installed in /usr/local/.
Daniel1015
commented
7 years ago Hi ThomasHabets ,
I try the steps you list, the .so file is new
-rwxr-xr-x. 1 root root 109931 May 17 09:52 /usr/local/lib/security/pam_google_authenticator.so
-r--------. 1 sclin sclin 136 May 17 09:57 /home/sclin/.google_authenticator
But the result is still the same - Access Deny , can't login
the log form /var/log/secure is copied below : May 17 10:01:30 sshd(pam_google_authenticator)[24612]: debug: start of google_authenticator for "sclin" May 17 10:01:30 sshd(pam_google_authenticator)[24612]: debug: Secret file permissions are 0400. Allowed permissions are 0600 May 17 10:01:30 sshd(pam_google_authenticator)[24612]: debug: "/home/sclin/.google_authenticator" read May 17 10:01:30 sshd(pam_google_authenticator)[24612]: debug: shared secret in "/home/sclin/.google_authenticator" processed May 17 10:01:39 sshd(pam_google_authenticator)[24612]: debug: scratch code 53634796 used and removed from "/home/sclin/.google_authenticator" May 17 10:01:39 sshd(pam_google_authenticator)[24612]: Accepted google_authenticator for sclin May 17 10:01:39 sshd(pam_google_authenticator)[24612]: Failed to update secret file "/home/sclin/.google_authenticator": Permission denied
Any suggestions that I check? thanks!
Daniel1015
commented
7 years ago Dear All,
After modify the /etc/sysconfig/selinux SELINUX=disabled
The two-Factor authentication works well now!
Thanks for your great help!!
Daniel1015
alfnonymous8
commented
4 years ago i can't login anymore, what should i do?
ThomasHabets
commented
4 years ago Provide infinitely more details, for one.
I have install google-authenticator on my centos 6 server. Then modify the /etc/pam.d/sshd as follow:
%PAM-1.0
auth required pam_google_authenticator.so debug nullok auth include password-auth account include password-auth password include password-auth session include password-auth
then edit the /etc/ssh/sshd_config and restart sshd service UsePrivilegeSeparation yes ChallengeResponseAuthentication yes UsePAM yes
then I execute ./google_authenticator, and confirm the file status
cat /home/sclin/.google_authenticator
& & & & & & & " WINDOW_SIZE 17 " DISALLOW_REUSE " TOTP_AUTH 45997745 90345583 34636348 39369681 84204684
ls -la /home/sclin/.google_authenticator
-r--------. 1 sclin sclin 118 May 15 15:29 /home/sclin/.google_authenticator
When I try to login to my server, that shows error message as follows: login as: sclin Using keyboard-interactive authentication. Verification code: (Enter the Code from cellphone app) Using keyboard-interactive authentication. Password: (Enter user password) Access denied Using keyboard-interactive authentication. Verification code:
The Code and password are correct, but still can't login I Try to trace the /var/log/secure
May 15 16:25:15 sshd(pam_google_authenticator)[10219]: debug: start of google_authenticator for "sclin" May 15 16:25:15 sshd(pam_google_authenticator)[10219]: Secret file permissions are 0400. Allowed permissions are 0600 May 15 16:25:15 sshd(pam_google_authenticator)[10219]: debug: "/home/sclin/.google_authenticator" read May 15 16:25:15 sshd(pam_google_authenticator)[10219]: debug: shared secret in "/home/sclin/.google_authenticator" processed May 15 16:25:35 sshd(pam_google_authenticator)[10219]: debug: no scratch code used from "/home/sclin/.google_authenticator" May 15 16:25:35 sshd(pam_google_authenticator)[10219]: Accepted google_authenticator for sclin May 15 16:25:35 sshd(pam_google_authenticator)[10219]: Failed to update secret file "/home/sclin/.google_authenticator" May 15 16:25:40 sshd(pam_google_authenticator)[10227]: debug: start of google_authenticator for "sclin" May 15 16:25:40 sshd(pam_google_authenticator)[10227]: Secret file permissions are 0400. Allowed permissions are 0600 May 15 16:25:40 sshd(pam_google_authenticator)[10227]: debug: "/home/sclin/.google_authenticator" read May 15 16:25:40 sshd(pam_google_authenticator)[10227]: debug: shared secret in "/home/sclin/.google_authenticator" processed
Please help me to check if there anything wrong? thanks!!