search

google / google-authenticator-libpam

Apache License 2.0
1.8k stars 286 forks source link

ssh, no verification password requested and fails #97

Open leoindra86 opened 6 years ago

leoindra86 commented 6 years ago

Hereby, my configuration, It doenst asks for verification password. First i give verification password and then ssh password

ssh root@xx.xx.xx.xx
root@xx.xx.xx.xx's password:
root@xx.xx.xx.xx's password:
Password:

root@debasiseric2 pam.d]# tailf /var/log/secure
May 16 17:43:46 debasiseric2 sshd[13391]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=195.235.15.200  user=root
May 16 17:43:46 debasiseric2 sshd[13391]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 16 17:43:46 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: start of google_authenticator for "root"
May 16 17:43:46 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: Secret file permissions are 0400. Allowed permissions are 0600
May 16 17:43:46 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: "/root/.google_authenticator" read
May 16 17:43:46 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: shared secret in "/root/.google_authenticator" processed
May 16 17:43:46 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: no scratch code used from "/root/.google_authenticator"
May 16 17:43:46 debasiseric2 sshd(pam_google_authenticator)[13391]: Invalid verification code for root
May 16 17:43:46 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: "/root/.google_authenticator" written
May 16 17:43:46 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: end of google_authenticator for "root". Result: Authentication failure
May 16 17:43:48 debasiseric2 sshd[13391]: Failed password for root from 195.235.15.200 port 45432 ssh2
May 16 17:44:08 debasiseric2 sshd[13391]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 16 17:44:08 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: start of google_authenticator for "root"
May 16 17:44:08 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: Secret file permissions are 0400. Allowed permissions are 0600
May 16 17:44:08 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: "/root/.google_authenticator" read
May 16 17:44:08 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: shared secret in "/root/.google_authenticator" processed
May 16 17:44:08 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: no scratch code used from "/root/.google_authenticator"
May 16 17:44:08 debasiseric2 sshd(pam_google_authenticator)[13391]: Accepted google_authenticator for root
May 16 17:44:08 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: "/root/.google_authenticator" written
May 16 17:44:08 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: end of google_authenticator for "root". Result: Success
May 16 17:44:10 debasiseric2 sshd[13391]: Failed password for root from 195.235.15.200 port 45432 ssh2
May 16 17:44:19 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: start of google_authenticator for "root"
May 16 17:44:19 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: Secret file permissions are 0400. Allowed permissions are 0600
May 16 17:44:19 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: "/root/.google_authenticator" read
May 16 17:44:19 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: shared secret in "/root/.google_authenticator" processed
May 16 17:44:19 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: no scratch code used from "/root/.google_authenticator"
May 16 17:44:19 debasiseric2 sshd(pam_google_authenticator)[13391]: Invalid verification code for root
May 16 17:44:19 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: "/root/.google_authenticator" written
May 16 17:44:19 debasiseric2 sshd(pam_google_authenticator)[13391]: debug: end of google_authenticator for "root". Result: Authentication failure
May 16 17:44:21 debasiseric2 sshd[13391]: Failed password for root from 195.235.15.200 port 45432 ssh2
May 16 17:44:21 debasiseric2 sshd[13391]: Postponed keyboard-interactive for root from 195.235.15.200 port 45432 ssh2 [preauth]

I have tried lot of ways to make it work... It doesnt not work...
I dont know why... any help is really appreciated.

[root@debasiseric2 pam.d]# grep ^[^#] /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
SyslogFacility AUTHPRIV
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
UsePrivilegeSeparation yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp  /usr/libexec/openssh/sftp-server

[root@debasiseric2 pam.d]# cat sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
#auth required pam_google_authenticator.so

# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
auth required /usr/local/lib/security/pam_google_authenticator.so debug nullok

[root@debasiseric2 pam.d]# cat password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

[root@debasiseric2 pam.d]# cat system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
ThomasHabets commented 6 years ago 

root@xx.xx.xx.xx's password:
root@xx.xx.xx.xx's password:
Password:

These are all password prompts, not OTP prompts.

Your /etc/pam.d/sshd config has pam_unix before GA, so you should enter your normal password first. If you want it the other way around, then you'll need to put GA first.

If you don't get a prompt for Validation code, then it's not asking for your OTP.

Also it looks like you have "sufficient" on pam_unix. Do you not simply get let in when you enter your password?

leoindra86 commented 6 years ago

I tried that before,now as advised, entering ssh password three times and then OTP password. also selinux is disabled.

[einddut.ES00201776] ➤ ssh root@xx.xx.xx.xx
root@xx.xx.xx.xx's password: ===>SSH PASSWORD
root@xx.xx.xx.xx's password:  ===>SSH PASSWORD
root@xx.xx.xx.xx's password:   ===>SSH PASSWORD
Password:    ===>OTP
Password:    ====> OTP 
[root@debasiseric2 ~]# tailf /var/log/secure
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: debug: start of google_authenticator for "root"
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: debug: Secret file permissions are 0400. Allowed permissions are 0                                   600
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: debug: "/root/.google_authenticator" read
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: Too many concurrent login attempts ("/root/.google_authenticator")                                   . Please try again.
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: debug: "/root/.google_authenticator" written
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: debug: end of google_authenticator for "root". Result: Authenticat                                   ion failure
May 16 20:05:30 debasiseric2 sshd[1815]: error: PAM: Authentication failure for root from 197.red-79-146-98.dynamicip.rima-tde.net
May 16 20:05:30 debasiseric2 sshd[1815]: Failed keyboard-interactive/pam for root from 79.146.98.197 port 63492 ssh2
May 16 20:05:30 debasiseric2 sshd[1815]: Postponed keyboard-interactive for root from 79.146.98.197 port 63492 ssh2 [preauth]
May 16 20:05:38 debasiseric2 sshd[1815]: Connection closed by 79.146.98.197 port 63492 [preauth]
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: start of google_authenticator for "root"
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: Secret file permissions are 0400. Allowed permissions are 0                                   600
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" read
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: shared secret in "/root/.google_authenticator" processed
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: no scratch code used from "/root/.google_authenticator"
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: Invalid verification code for root
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" written
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: end of google_authenticator for "root". Result: Authenticat                                   ion failure
May 16 20:06:21 debasiseric2 sshd[1838]: Failed password for root from 79.146.98.197 port 63521 ssh2
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: start of google_authenticator for "root"
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: Secret file permissions are 0400. Allowed permissions are 0                                   600
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" read
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: shared secret in "/root/.google_authenticator" processed
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: no scratch code used from "/root/.google_authenticator"
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: Invalid verification code for root
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" written
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: end of google_authenticator for "root". Result: Authenticat                                   ion failure
May 16 20:06:29 debasiseric2 sshd[1838]: Failed password for root from 79.146.98.197 port 63521 ssh2
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: start of google_authenticator for "root"
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: Secret file permissions are 0400. Allowed permissions are 0                                   600
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" read
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: shared secret in "/root/.google_authenticator" processed
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: no scratch code used from "/root/.google_authenticator"
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: Invalid verification code for root
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" written
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: end of google_authenticator for "root". Result: Authenticat                                   ion failure
May 16 20:06:35 debasiseric2 sshd[1838]: Failed password for root from 79.146.98.197 port 63521 ssh2
May 16 20:06:35 debasiseric2 sshd[1838]: Postponed keyboard-interactive for root from 79.146.98.197 port 63521 ssh2 [preauth]
May 16 20:06:42 debasiseric2 sshd[1840]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=197.                                   red-79-146-98.dynamicip.rima-tde.net  user=root
May 16 20:06:42 debasiseric2 sshd[1840]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: debug: start of google_authenticator for "root"
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: debug: Secret file permissions are 0400. Allowed permissions are 0                                   600
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: debug: "/root/.google_authenticator" read
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: Too many concurrent login attempts ("/root/.google_authenticator")                                   . Please try again.
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: debug: "/root/.google_authenticator" written
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: debug: end of google_authenticator for "root". Result: Authenticat                                   ion failure
May 16 20:06:44 debasiseric2 sshd[1838]: error: PAM: Authentication failure for root from 197.red-79-146-98.dynamicip.rima-tde.net
May 16 20:06:44 debasiseric2 sshd[1838]: Failed keyboard-interactive/pam for root from 79.146.98.197 port 63521 ssh2
May 16 20:06:44 debasiseric2 sshd[1838]: Postponed keyboard-interactive for root from 79.146.98.197 port 63521 ssh2 [preauth]
May 16 20:07:17 debasiseric2 sshd[1838]: Connection closed by 79.146.98.197 port 63521 [preauth]
ThomasHabets commented 6 years ago

That's not how those prompts should look. It should be:

$ ssh foo@bar.com
Password: <password here>
Verification code: <OTP here>

Did you restart sshd, or reload its config?

Like I said:

If you don't get a prompt for Validation code, then it's not asking for your OTP.

So don't enter OTP where it says Password.

leoindra86 commented 6 years ago

sorry for being a pain... Every config update is followed by sshd restart.

ThomasHabets commented 6 years ago

Have you tried entering your unix password at the Password prompt, and seeing if you get a Verification code prompt?

My setup has PasswordAuthentication no, because I use PAM instead of OpenSSH's built-in thing. UsePAM yes and ChallengeResponseAuthentication yes is sufficient for this to work.

panderan commented 5 years ago

I encountered the same problem with you. However, I found when I installed official package using "apt install" command ( I used Ubuntu) all things good work for me. When I compiled from source and installed with "make install", "Verification code" prompt never come out. And then I noticed official package put libpam_google_authenticator.so in the /lib/security directory, but "make install" command put the file in the /usr/local/lib/security directory. So I made a symbol link, then , it worked.

mkdir -p /lib/security ln -sf /usr/local/lib/security/pam_google_authenticator.so /lib/security/pam_google_authenticator.so