Open leoindra86 opened 6 years ago
root@xx.xx.xx.xx's password: root@xx.xx.xx.xx's password: Password:
These are all password prompts, not OTP prompts.
Your /etc/pam.d/sshd
config has pam_unix
before GA, so you should enter your normal password first. If you want it the other way around, then you'll need to put GA first.
If you don't get a prompt for Validation code
, then it's not asking for your OTP.
Also it looks like you have "sufficient" on pam_unix. Do you not simply get let in when you enter your password?
I tried that before,now as advised, entering ssh password three times and then OTP password. also selinux is disabled.
[einddut.ES00201776] ➤ ssh root@xx.xx.xx.xx
root@xx.xx.xx.xx's password: ===>SSH PASSWORD
root@xx.xx.xx.xx's password: ===>SSH PASSWORD
root@xx.xx.xx.xx's password: ===>SSH PASSWORD
Password: ===>OTP
Password: ====> OTP
[root@debasiseric2 ~]# tailf /var/log/secure
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: debug: start of google_authenticator for "root"
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: debug: Secret file permissions are 0400. Allowed permissions are 0 600
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: debug: "/root/.google_authenticator" read
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: Too many concurrent login attempts ("/root/.google_authenticator") . Please try again.
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: debug: "/root/.google_authenticator" written
May 16 20:05:28 debasiseric2 sshd(pam_google_authenticator)[1826]: debug: end of google_authenticator for "root". Result: Authenticat ion failure
May 16 20:05:30 debasiseric2 sshd[1815]: error: PAM: Authentication failure for root from 197.red-79-146-98.dynamicip.rima-tde.net
May 16 20:05:30 debasiseric2 sshd[1815]: Failed keyboard-interactive/pam for root from 79.146.98.197 port 63492 ssh2
May 16 20:05:30 debasiseric2 sshd[1815]: Postponed keyboard-interactive for root from 79.146.98.197 port 63492 ssh2 [preauth]
May 16 20:05:38 debasiseric2 sshd[1815]: Connection closed by 79.146.98.197 port 63492 [preauth]
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: start of google_authenticator for "root"
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: Secret file permissions are 0400. Allowed permissions are 0 600
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" read
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: shared secret in "/root/.google_authenticator" processed
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: no scratch code used from "/root/.google_authenticator"
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: Invalid verification code for root
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" written
May 16 20:06:18 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: end of google_authenticator for "root". Result: Authenticat ion failure
May 16 20:06:21 debasiseric2 sshd[1838]: Failed password for root from 79.146.98.197 port 63521 ssh2
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: start of google_authenticator for "root"
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: Secret file permissions are 0400. Allowed permissions are 0 600
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" read
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: shared secret in "/root/.google_authenticator" processed
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: no scratch code used from "/root/.google_authenticator"
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: Invalid verification code for root
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" written
May 16 20:06:27 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: end of google_authenticator for "root". Result: Authenticat ion failure
May 16 20:06:29 debasiseric2 sshd[1838]: Failed password for root from 79.146.98.197 port 63521 ssh2
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: start of google_authenticator for "root"
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: Secret file permissions are 0400. Allowed permissions are 0 600
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" read
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: shared secret in "/root/.google_authenticator" processed
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: no scratch code used from "/root/.google_authenticator"
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: Invalid verification code for root
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: "/root/.google_authenticator" written
May 16 20:06:33 debasiseric2 sshd(pam_google_authenticator)[1838]: debug: end of google_authenticator for "root". Result: Authenticat ion failure
May 16 20:06:35 debasiseric2 sshd[1838]: Failed password for root from 79.146.98.197 port 63521 ssh2
May 16 20:06:35 debasiseric2 sshd[1838]: Postponed keyboard-interactive for root from 79.146.98.197 port 63521 ssh2 [preauth]
May 16 20:06:42 debasiseric2 sshd[1840]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=197. red-79-146-98.dynamicip.rima-tde.net user=root
May 16 20:06:42 debasiseric2 sshd[1840]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: debug: start of google_authenticator for "root"
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: debug: Secret file permissions are 0400. Allowed permissions are 0 600
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: debug: "/root/.google_authenticator" read
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: Too many concurrent login attempts ("/root/.google_authenticator") . Please try again.
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: debug: "/root/.google_authenticator" written
May 16 20:06:42 debasiseric2 sshd(pam_google_authenticator)[1840]: debug: end of google_authenticator for "root". Result: Authenticat ion failure
May 16 20:06:44 debasiseric2 sshd[1838]: error: PAM: Authentication failure for root from 197.red-79-146-98.dynamicip.rima-tde.net
May 16 20:06:44 debasiseric2 sshd[1838]: Failed keyboard-interactive/pam for root from 79.146.98.197 port 63521 ssh2
May 16 20:06:44 debasiseric2 sshd[1838]: Postponed keyboard-interactive for root from 79.146.98.197 port 63521 ssh2 [preauth]
May 16 20:07:17 debasiseric2 sshd[1838]: Connection closed by 79.146.98.197 port 63521 [preauth]
That's not how those prompts should look. It should be:
$ ssh foo@bar.com
Password: <password here>
Verification code: <OTP here>
Did you restart sshd, or reload its config?
Like I said:
If you don't get a prompt for
Validation code
, then it's not asking for your OTP.
So don't enter OTP where it says Password
.
sorry for being a pain... Every config update is followed by sshd restart.
Have you tried entering your unix password at the Password
prompt, and seeing if you get a Verification code
prompt?
My setup has PasswordAuthentication no
, because I use PAM instead of OpenSSH's built-in thing. UsePAM yes
and ChallengeResponseAuthentication yes
is sufficient for this to work.
I encountered the same problem with you. However, I found when I installed official package using "apt install" command ( I used Ubuntu) all things good work for me. When I compiled from source and installed with "make install", "Verification code" prompt never come out. And then I noticed official package put libpam_google_authenticator.so in the /lib/security directory, but "make install" command put the file in the /usr/local/lib/security directory. So I made a symbol link, then , it worked.
mkdir -p /lib/security ln -sf /usr/local/lib/security/pam_google_authenticator.so /lib/security/pam_google_authenticator.so
Hereby, my configuration, It doenst asks for verification password. First i give verification password and then ssh password