search

google / google-authenticator-libpam

Apache License 2.0
1.8k stars 286 forks source link

Always ask for OTP code if nullok has not been set #70

Closed nielsbasjes closed 7 years ago

nielsbasjes commented 7 years ago

Basic solution for #69 that works on my machine. Note that I have not yet fixed the tests (So a make test will fail.)

With this when I try to log in to a non existing user

I see this on the screen

$ ssh foo@192.168.56.102
Give me the code: 123456
Password: 
Give me the code:

and this in the logs

Aug 17 15:25:01 localhost sshd[14263]: Invalid user foo from 192.168.56.1
Aug 17 15:25:01 localhost sshd[14263]: input_userauth_request: invalid user foo [preauth]
Aug 17 15:25:01 localhost sshd(pam_google_authenticator)[14265]: debug: start of google_authenticator for "foo"
Aug 17 15:25:01 localhost sshd(pam_google_authenticator)[14265]: Failed to read "/var/lib/google-authenticator/foo" for "foo"
Aug 17 15:25:01 localhost sshd(pam_google_authenticator)[14265]: No secret configured for user foo, asking for code anyway.
Aug 17 15:25:01 localhost sshd[14263]: Postponed keyboard-interactive for invalid user foo from 192.168.56.1 port 50578 ssh2 [preauth]
Aug 17 15:25:03 localhost sshd(pam_google_authenticator)[14265]: Dummy password supplied by PAM. Did OpenSSH 'PermitRootLogin <anything but yes>' or some other config block this login?
Aug 17 15:25:03 localhost sshd(pam_google_authenticator)[14265]: Dummy password supplied by PAM. Did OpenSSH 'PermitRootLogin <anything but yes>' or some other config block this login?
Aug 17 15:25:03 localhost sshd(pam_google_authenticator)[14265]: Invalid verification code for foo
Aug 17 15:25:03 localhost sshd[14263]: Postponed keyboard-interactive/pam for invalid user foo from 192.168.56.1 port 50578 ssh2 [preauth]
Aug 17 15:25:04 localhost sshd[14265]: pam_unix(sshd:auth): check pass; user unknown
Aug 17 15:25:04 localhost sshd[14265]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1
Aug 17 15:25:06 localhost sshd[14263]: error: PAM: Authentication failure for illegal user foo from 192.168.56.1
Aug 17 15:25:06 localhost sshd[14263]: Failed keyboard-interactive/pam for invalid user foo from 192.168.56.1 port 50578 ssh2
nielsbasjes commented 7 years ago

I also changed the noskewadj test because that was not using any of the set properties (use_first_pass, try_first_pass, etc.).

nielsbasjes commented 7 years ago

P.S. Please squash these commits before putting this in. Thanks.