google / google-authenticator-libpam Goto Github PK

License: Apache License 2.0

Makefile 1.51% Shell 1.03% M4 1.40% C 89.61% HTML 5.73% Python 0.72%

google-authenticator-libpam's Introduction

Google Authenticator PAM module

Example PAM module demonstrating two-factor authentication for logging into servers via SSH, OpenVPN, etc…

This project is not about logging in to Google, Facebook, or other TOTP/HOTP second factor systems, even if they recommend using the Google Authenticator apps.

HMAC-Based One-time Password (HOTP) is specified in RFC 4226 and Time-based One-time Password (TOTP) is specified in RFC 6238.

Build & install

./bootstrap.sh
./configure
make
sudo make install

If you don't have access to "sudo", you have to manually become "root" prior to calling "make install".

Setting up the PAM module for your system

For highest security, make sure that both password and OTP are being requested even if password and/or OTP are incorrect. This means that at least the first of pam_unix.so (or whatever other module is used to verify passwords) and pam_google_authenticator.so should be set as required, not requisite. It probably can't hurt to have both be required, but it could depend on the rest of your PAM config.

If you use HOTP (counter based as opposed to time based) then add the option no_increment_hotp to make sure the counter isn't incremented for failed attempts.

Add this line to your PAM configuration file:

auth required pam_google_authenticator.so no_increment_hotp

Setting up a user

Run the google-authenticator binary to create a new secret key in your home directory. These settings will be stored in ~/.google_authenticator.

If your system supports the "libqrencode" library, you will be shown a QRCode that you can scan using the Android "Google Authenticator" application.

If your system does not have this library, you can either follow the URL that google-authenticator outputs, or you have to manually enter the alphanumeric secret key into the Android "Google Authenticator" application.

In either case, after you have added the key, click-and-hold until the context menu shows. Then check that the key's verification value matches (this feature might not be available in all builds of the Android application).

Each time you log into your system, you will now be prompted for your TOTP code (time based one-time-password) or HOTP (counter-based), depending on options given to google-authenticator, after having entered your normal user id and your normal UNIX account password.

During the initial roll-out process, you might find that not all users have created a secret key yet. If you would still like them to be able to log in, you can pass the "nullok" option on the module's command line:

auth required pam_google_authenticator.so nullok

Encrypted home directories

If your system encrypts home directories until after your users entered their password, you either have to re-arrange the entries in the PAM configuration file to decrypt the home directory prior to asking for the OTP code, or you have to store the secret file in a non-standard location:

auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator

would be a possible choice. Make sure to set appropriate permissions. You also have to tell your users to manually move their .google_authenticator file to this location.

In addition to "${USER}", the secret= option also recognizes both "~" and ${HOME} as short-hands for the user's home directory.

When using the secret= option, you might want to also set the user= option. The latter forces the PAM module to switch to a dedicated hard-coded user id prior to doing any file operations. When using the user= option, you must not include "~" or "${HOME}" in the filename.

The user= option can also be useful if you want to authenticate users who do not have traditional UNIX accounts on your system.

Module options

secret=/path/to/secret/file

See "encrypted home directories", above.

authtok_prompt=prompt

Overrides default token prompt. If you want to include spaces in the prompt, wrap the whole argument in square brackets:

auth required pam_google_authenticator.so [authtok_prompt=Your secret token: ]

user=some-user

Force the PAM module to switch to a hard-coded user id prior to doing any file operations. Commonly used with secret=.

no_strict_owner

DANGEROUS OPTION!

By default the PAM module requires that the secrets file must be owned the user logging in (or if user= is specified, owned by that user). This option disables that check.

This option can be used to allow daemons not running as root to still handle configuration files not owned by that user, for example owned by the users themselves.

allowed_perm=0nnn

DANGEROUS OPTION!

By default, the PAM module requires the secrets file to be readable only by the owner of the file (mode 0600 by default). In situations where the module is used in a non-default configuration, an administrator may need more lenient file permissions, or a specific setting for their use case.

debug

Enable more verbose log messages in syslog.

try_first_pass / use_first_pass / forward_pass

Some PAM clients cannot prompt the user for more than just the password. To work around this problem, this PAM module supports stacking. If you pass the forward_pass option, the pam_google_authenticator module queries the user for both the system password and the verification code in a single prompt. It then forwards the system password to the next PAM module, which will have to be configured with the use_first_pass option.

In turn, pam_google_authenticator module also supports both the standard use_first_pass and try_first_pass options. But most users would not need to set those on the pam_google_authenticator.

noskewadj

If you discover that your TOTP code never works, this is most commonly the result of the clock on your server being different from the one on your Android device. The PAM module makes an attempt to compensate for time skew. You can teach it about the amount of skew that you are experiencing, by trying to log it three times in a row. Make sure you always wait 30s (but not longer), so that you get three distinct TOTP codes.

Some administrators prefer that time skew isn't adjusted automatically, as doing so results in a slightly less secure system configuration. If you want to disable it, you can do so on the module command line:

auth required pam_google_authenticator.so noskewadj

no_increment_hotp

Don't increment the counter for failed HOTP attempts. Normally you should set this so failed password attempts by an attacker without a token don't lock out the authorized user.

nullok

Allow users to log in without OTP, if they haven't set up OTP yet.

PAM requires at least one SUCCESS answer from a module, and nullok causes this module to say IGNORE. This means that if this option is used at least one other module must have said SUCCESS. One way to do this is to add auth required pam_permit.so to the end of the PAM config.

echo_verification_code

By default, the PAM module does not echo the verification code when it is entered by the user. In some situations, the administrator might prefer a different behavior. Pass the echo_verification_code option to the module in order to enable echoing.

If you would like verification codes that are counter based instead of timebased, use the google-authenticator binary to generate a secret key in your home directory with the proper option. In this mode, clock skew is irrelevant and the window size option now applies to how many codes beyond the current one that would be accepted, to reduce synchronization problems.

grace_period=seconds

If present and non-zero, provide a grace period during which a second verification code will not be requested. Try setting seconds to 86400 to allow a full-day between requesting codes; or 3600 for an hour.

This works by adding an (IP address, timestamp) pair to the security file after a successful one-time-password login; only the last ten distinct IP addresses are tracked.

allow_readonly

DANGEROUS OPTION!

With this option an attacker with ability to fill up the filesystem (flood server with web requests, or if they have an account just fill the disk up) can force a situation where one-time-passwords can be reused, defeating the purpose of "one time".

By default, if the grace_period option is defined the PAM module requires some free space to store the IP address and timestamp of the last login. It could prevent access if a server has no free space or in case of an update config file error. With the allow_readonly option you can ignore any errors which could occur during config file update.

google-authenticator-libpam's People

Contributors

Stargazers

Watchers

Forkers

reedloden knqyf263 amonhuz innoaus blaskyy reppep eternaltyro sangewww chittunoo adrian77 dalent shwang1011 chaossoldier13 gwsu2008 biggerwing codelinx galeksandrp-backup spaill minhnhut0602 borndeli andrewrothstein kodingway jamespfinn fuguang oeohomos yangjin-unique lo0k alexxnica kryndex segmond jontsai krayon danghai blvkoblsk mgl-pub zspzhong edwinlu encku dingbb atodyl scottk212 cephdon nanbo99 wwwwg becandiao jvalde jiubadao webscale-networks robotsrulz susienme cupsos nqiu qinshixu spratte ninech liaofeng2 behestee andrewkalkin apaxmai lockerfish iboukris shenliehuozhi playsoysauce lovehfn maniacs-oss coresoft2 fun-alex-alex2006hw tanyuanyuan af2016 slowdown2018 sfescape bdeak quinndiggity jeis2497052 rasata ylzone livinginsyn wujcheng mgorny chandra158 vijayaraju gospeljohn techlord-rce critizr mattdanielbrown nilushancosta m41doror 5up3rc chrepl wuweichi drussell393 smxzi lilingzj h0kd33 benkoerber chaodongqu micro-apple juno-explorer gaecom jthigh

google-authenticator-libpam's Issues

Does not support PAM_CONV_AGAIN / PAM_INCOMPLETE

From @ThomasHabets on October 10, 2014 8:7

Original issue 276 created by cris.vanpelt on 2013-06-21T13:52:53.000Z:

Asynchronous calls to the libpam-google-authenticator module are not available.

Support for CONV_AGAIN/INCOMPLETE is missing entirely. This makes it more difficult to use the authenticator PAM module for asynchronous authentication. I have attached a small patch which adds this functionality. It may need to be revised for better integration with existing code.

Copied from original issue: google/google-authenticator#275

pam google authenticator and git

From @ThomasHabets on October 10, 2014 8:7

Original issue 270 created by [email protected] on 2013-05-20T22:50:48.000Z:

Hi guys i want to configure two users
one is a default ssh user let's call "userssh" and
the other is a git user (/usr/bin/git-shell) let's call "usergit"

my question is...
how to configure /etc/pam.d/sshd to use git without google authenticator? only with ssh keys

thanks

Copied from original issue: google/google-authenticator#269

Respect period parameter in otpauth URI.

From @thomasdarimont on October 5, 2015 8:26

According to the Key Uri Format documentation the current google authenticator implementation
doesn't use the period parameter in the otpauth URI and defaults to 30 seconds.

This makes it difficult to use the google authenticator app as an alternative soft token generator mechanism in scenarios where one wants to use one OTP token policy in combination with hardware token generators which often come with a hard-wired default period.

A fallback is to use other apps like FreeOTP which respect the period parameter.

Copied from original issue: google/google-authenticator#521

Why is the shared secret used in libpam only 80 bits?

From @ThomasHabets on October 10, 2014 8:7

Original issue 340 created by terrycwk1994 on 2013-11-07T02:52:37.000Z:

The code in libpam/google-authenticator.c defines the shared secret to be 80 bits.
# define SECRET_BITS 80 // Must be divisible by eight

This appears not to conform with RFC 4226 that states:

R6 - The algorithm MUST use a strong shared secret. The length of
the shared secret MUST be at least 128 bits. This document
RECOMMENDs a shared secret length of 160 bits.

I suggest that the code be patched to modify this to 160 bits, which conforms with the recommendation by RFC 4226 and is what Google is using for 2FA with their own services.

Copied from original issue: google/google-authenticator#339

`make test` FAILs at error: "Assertion `num_prompts_shown == expected_prompts_shown' failed.; Invalid verification code"

From @ghost on December 28, 2014 4:0

checking out latest source

git clone https://code.google.com/p/google-authenticator
git log | head
    commit 1d0bf2e6cff7a5e503580d29ca33634ce09386ca
    Author: Thomas Habets <[email protected]>
    Date:   Fri Feb 14 17:17:42 2014 +0000

        Add space in config file between quote and RATE_LIMIT, like spec says.

    commit 86af4c32a2940b13397cac52eee435e6acedb8a5
    Author: Thomas Habets <[email protected]>
    Date:   Thu Jan 30 15:17:38 2014 +0000

building on

lsb_release -rd
    Description:    openSUSE 13.2 (Harlequin) (x86_64)
    Release:        13.2

with

gcc -V
    gcc: error: unrecognized command line option ‘-V’
    gcc: fatal error: no input files
    compilation terminated.
    [1083][root@onyxEdgar: ../src/google-authenticator]$ gcc -v
    Using built-in specs.
    COLLECT_GCC=gcc
    COLLECT_LTO_WRAPPER=/usr/lib64/gcc/x86_64-suse-linux/5/lto-wrapper
    Target: x86_64-suse-linux
    Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib64 --libexecdir=/usr/lib64 --enable-languages=c,c++,objc,fortran,obj-c++,java,ada,go --with-gxx-include-dir=/usr/include/c++/5 --enable-ssp --disable-libssp --disable-libvtv --disable-plugin --with-bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --disable-libgcj --with-slibdir=/lib64 --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-libs --enable-linker-build-id --enable-linux-futex --program-suffix=-5 --without-system-libunwind --enable-multilib --with-arch-32=i586 --with-tune=generic --build=x86_64-suse-linux --host=x86_64-suse-linux
    Thread model: posix
    gcc version 5.0.0 20141215 (experimental) [trunk revision 218749] (SUSE Linux)

completes ok

cd google-authenticator/libpam
make
    (no errors)

but test FAILs

make test
    ./pam_google_authenticator_unittest
    Testing base32 encoding
    Testing base32 decoding
    Testing HMAC_SHA1
    Loading PAM module

    Running tests, querying for verification code
    Testing failed login attempt
    Testing required number of digits
    Testing a blank response
    Test handling of missing state files
    Testing successful login
    Testing WINDOW_SIZE option
    Testing DISALLOW_REUSE option
    Testing RATE_LIMIT option
    Testing TIME_SKEW
    pam_google_authenticator_unittest: pam_google_authenticator_unittest.c:137: verify_prompts_shown: Assertion `num_prompts_shown == expected_prompts_shown' failed.
    Invalid verification code
    Makefile:36: recipe for target 'test' failed
    make: *** [test] Error 1

seems to have been raised before,

[CentOS] CentOS 5.9 and google-authenticator
http://lists.centos.org/pipermail/centos/2013-June/135586.html

but, afaict, no resolution there

Copied from original issue: google/google-authenticator#470

Can't Authenticate anymore

From @ThomasHabets on October 10, 2014 8:6

Original issue 134 created by shaiament on 2012-01-16T15:21:59.000Z:

What steps will reproduce the problem?
1.SSH

What is the expected output? What do you see instead?
-bash-3.2$ ssh [email protected]
Verification code:
Password:
Verification code:
Password:
Verification code:
Password:
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Received disconnect from 10.0.0.65: 2: Too many authentication failures for root

What version of the product are you using? On what operating system?
Latest, Centos 6

Please provide any additional information below.

I Get stuck in this loop. the machine won't authenticate me. i don't even receive error messages when i type. and then it only asks for password and even when the password is correct i get Premission denied.

Copied from original issue: google/google-authenticator#133

Unable to login to Server the next day of enabling Google Auth.

From @ThomasHabets on October 10, 2014 8:6

Original issue 245 created by hamlindsza on 2013-01-29T05:54:32.000Z:

What steps will reproduce the problem?
Not Sure how to reproduce this problem.
Let me explain the situation, i enable two step verification it works fine throughout the day, the next morning im unable to login

The /var/log/auth.log shows:
Jan 29 11:10:25 smtp sshd(pam_google_authenticator)[21547]: Invalid verification code
Jan 29 11:10:27 smtp sshd[20763]: error: PAM: Cannot make/remove an entry for the specified session for root from 10.0.5.110
Jan 29 11:10:27 smtp sshd[20763]: Failed keyboard-interactive/pam for root from 10.0.5.110 port 4196 ssh2

What version of the product are you using? On what operating system?
Debian Squeeze.

Please provide any additional information below.
Ive synced the time on the phone & server with an ntp server.

Copied from original issue: google/google-authenticator#244

Authenticator for Windows Login

From @ThomasHabets on October 10, 2014 8:6

Original issue 183 created by kirkholmes on 2012-06-05T17:41:49.000Z:

I've been looking all over the net for a solution or option. I use Google Authenticator for everything Google and would like the ability to also use it as a second method of security when logging into my Windows Computer.

Is this an option? If so how can this be done and/or can it be an option?

Copied from original issue: google/google-authenticator#182

_dl_tls_get_addr_soft@GLIBC_PRIVATE

From @ThomasHabets on October 10, 2014 8:7

Original issue 364 created by [email protected] on 2014-03-10T23:49:49.000Z:

What version of the product are you using? On what operating system?
synology DSM 5.0
ipkg version 0.99.163
http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable/syno-mvkw-bootstrap_1.2-7_arm.xsh
GNU Make 3.82 Built for arm-none-linux-gnueabi

Please provide any additional information below.
I'm trying to build from source on arm v5, a synology DS411j Marvell Kirkwood mv6281 http://www.marvell.com/embedded-processors/kirkwood/assets/88F6281-004_ver1.pdf

> make install
gcc -g -o google-authenticator google-authenticator.o base32.o hmac.o sha1.o -ldl
/opt/lib/gcc/arm-none-linux-gnueabi/4.2.3/../../../../arm-none-linux-gnueabi/lib/libdl.so: undefined reference to `_dl_tls_get_addr_soft@GLIBC_PRIVATE'
collect2: ld returned 1 exit status
make: *** [google-authenticator] Error 1

Copied from original issue: google/google-authenticator#363

Feature request: ask for verification code only once a day for each client ip

From @ThomasHabets on October 10, 2014 8:6

Original issue 115 created by d.ananyev on 2011-11-02T10:34:17.000Z:

Is it possible to add an option to pam module that would skip verification code check for username+ip that was successfully authorized last 24 hours.

It's like gmail login verification checkbox "dont ask verificaction code for 30 days".

Copied from original issue: google/google-authenticator#114

Create new source tarball for libpam module

From @ThomasHabets on October 10, 2014 8:7

Original issue 440 created by rsimmons0 on 2014-09-21T01:03:52.000Z:

Revision 86af4c32a294 prevents a brute force attack and there is one further revision after that.

Can someone please increment the version, create a new libpam source tarball, and update the downloads section for this project with the new source file?

Copied from original issue: google/google-authenticator#439

Separate configuration from living data in the PAM module

From @ThomasHabets on October 10, 2014 8:6

Original issue 167 created by raphink on 2012-04-21T09:02:48.000Z:

Currently, the PAM module relies on one file per user: ~/.google_authenticator.

While this is simple, it mixes the configuration and living data in one file. The problem I have is when deploying this file on machines automatically: the file I deploy is a configuration file, containing the secret key, parameters and scratch codes available.

If for example I use one of the scratch codes, the file gets modified, but the configuration manager (puppet for example) will replace it with the same scratch codes next time it runs.

Ideally, the PAM module would use two files:

One for static configuration (secret key, parameters, scratch codes);
One for living data (used scratch codes, timestamps for rate limit, etc.).

Copied from original issue: google/google-authenticator#166

Can google authenticator send email to user with link to qr code?

From @Infectsoldier on January 12, 2016 9:20

Hello. I need to generate link and send it to user with email address, or show link when user do first login in to ssh. Is this possible?

OS: Centos 6.x

Copied from original issue: google/google-authenticator#534

PAM not working with xrdp

From @ThomasHabets on October 10, 2014 8:7

Original issue 362 created by [email protected] on 2014-02-28T22:55:39.000Z:

Works great with pam_unix, I don't know what the deal with xrdp is. I was able to get it working by making a trivial call to pam_get_user using the following minor change. Thank you for your continued work on this useful project.

static const char *get_user_name(pam_handle_t *pamh) {
  // Obtain the user's name
  const char *username;
  // Test Code
  pam_get_user(pamh, &username, NULL);
  //log_message(LOG_ERR, pamh,
  //            "Test user name %s available when checking", username );
  // END Test Code 
  if (pam_get_item(pamh, PAM_USER, (void *)&username) != PAM_SUCCESS ||
      !username || !*username) {
    log_message(LOG_ERR, pamh,
                "No user name available when checking verification code");
    return NULL;
  }
  return username;
}

Copied from original issue: google/google-authenticator#361

Compiler warnings when using Clang on FreeBSD 10.0

From @ThomasHabets on October 10, 2014 8:7

Original issue 427 created by rsimmons0 on 2014-08-26T16:12:51.000Z:

What steps will reproduce the problem?
Download current revision 1d0bf2e6cff7
Build libpam on FreeBSD 10.0

What is the expected output? What do you see instead?
No warnings expected. The warnings in question are below.

What version of the product are you using? On what operating system?
revision 1d0bf2e6cff7 on FreeBSD 10.0-RELEASE-p7

Please provide any additional information below.
cc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -O2 -pipe -fno-strict-aliasing -o pam_google_authenticator.o pam_google_authenticator.c
pam_google_authenticator.c:777:49: warning: initializing 'char _' with an expression of type 'const char *' discards qualifiers
[-Wincompatible-pointer-types-discards-qualifiers]
.msg = prompt };
^~~~~~
pam_google_authenticator.c:973:44: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int]
sprintf(strrchr(disallow, '\000'), " %d" + !_disallow, tm);
~~~~~~^~~~~~~~~~~~
pam_google_authenticator.c:973:44: note: use array indexing to silence this warning
sprintf(strrchr(disallow, '\000'), " %d" + !_disallow, tm);
^
& [ ]
pam_google_authenticator.c:1132:48: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int]
sprintf(strrchr(reset, '\000'), " %d%+d" + !_reset, tms[i], skews[i]);
~~~~~~~~~^~~~~~~~~
pam_google_authenticator.c:1132:48: note: use array indexing to silence this warning
sprintf(strrchr(reset, '\000'), " %d%+d" + !*reset, tms[i], skews[i]);
^
& [ ]
3 warnings generated.

cc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -O2 -pipe -fno-strict-aliasing -o demo.o demo.c
demo.c:88:37: warning: 'memcpy' call operates on objects of type 'const char ' while the size is based on a different type 'const char *'
[-Wsizeof-pointer-memaccess]
memcpy(item, &service, sizeof(&service));
~~~~~~~~ ^~~~~~~~
demo.c:88:37: note: did you mean to remove the addressof in the argument to 'sizeof' (and multiply it by the number of elements)?
memcpy(item, &service, sizeof(&service));
^~~~~~~~
demo.c:93:34: warning: 'memcpy' call operates on objects of type 'char ' while the size is based on a different type 'char *'
[-Wsizeof-pointer-memaccess]
memcpy(item, &user, sizeof(&user));
~~~~~ ^~~~~
demo.c:93:34: note: did you mean to remove the addressof in the argument to 'sizeof' (and multiply it by the number of elements)?
memcpy(item, &user, sizeof(&user));
^~~~~
2 warnings generated.

cc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -O2 -pipe -fno-strict-aliasing -o pam_google_authenticator_demo.o pam_google_authenticator.c
pam_google_authenticator.c:777:49: warning: initializing 'char _' with an expression of type 'const char *' discards qualifiers
[-Wincompatible-pointer-types-discards-qualifiers]
.msg = prompt };
^~~~~~
pam_google_authenticator.c:973:44: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int]
sprintf(strrchr(disallow, '\000'), " %d" + !_disallow, tm);
~~~~~~^~~~~~~~~~~~
pam_google_authenticator.c:973:44: note: use array indexing to silence this warning
sprintf(strrchr(disallow, '\000'), " %d" + !_disallow, tm);
^
& [ ]
pam_google_authenticator.c:1132:48: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int]
sprintf(strrchr(reset, '\000'), " %d%+d" + !_reset, tms[i], skews[i]);
~~~~~~~~~^~~~~~~~~
pam_google_authenticator.c:1132:48: note: use array indexing to silence this warning
sprintf(strrchr(reset, '\000'), " %d%+d" + !*reset, tms[i], skews[i]);
^
& [ ]
3 warnings generated.

cc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -O2 -pipe -fno-strict-aliasing
-o pam_google_authenticator_testing.o pam_google_authenticator.c
pam_google_authenticator.c:777:49: warning: initializing 'char _' with an expression of type 'const char *' discards qualifiers
[-Wincompatible-pointer-types-discards-qualifiers]
.msg = prompt };
^~~~~~
pam_google_authenticator.c:973:44: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int]
sprintf(strrchr(disallow, '\000'), " %d" + !_disallow, tm);
~~~~~~^~~~~~~~~~~~
pam_google_authenticator.c:973:44: note: use array indexing to silence this warning
sprintf(strrchr(disallow, '\000'), " %d" + !_disallow, tm);
^
& [ ]
pam_google_authenticator.c:1132:48: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int]
sprintf(strrchr(reset, '\000'), " %d%+d" + !_reset, tms[i], skews[i]);
~~~~~~~~~^~~~~~~~~
pam_google_authenticator.c:1132:48: note: use array indexing to silence this warning
sprintf(strrchr(reset, '\000'), " %d%+d" + !*reset, tms[i], skews[i]);
^
& [ ]
3 warnings generated.

cc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -O2 -pipe -fno-strict-aliasing -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
pam_google_authenticator_unittest.c:79:37: warning: 'memcpy' call operates on objects of type 'const char ' while the size is based on a different
type 'const char *' [-Wsizeof-pointer-memaccess]
memcpy(item, &service, sizeof(&service));
~~~~~~~~ ^~~~~~~~
pam_google_authenticator_unittest.c:79:37: note: did you mean to remove the addressof in the argument to 'sizeof'
(and multiply it by the number of elements)?
memcpy(item, &service, sizeof(&service));
^~~~~~~~
pam_google_authenticator_unittest.c:84:34: warning: 'memcpy' call operates on objects of type 'char ' while the size is based on a different type
'char *' [-Wsizeof-pointer-memaccess]
memcpy(item, &user, sizeof(&user));
~~~~~ ^~~~~
pam_google_authenticator_unittest.c:84:34: note: did you mean to remove the addressof in the argument to 'sizeof'
(and multiply it by the number of elements)?
memcpy(item, &user, sizeof(&user));
^~~~~
2 warnings generated.

Copied from original issue: google/google-authenticator#426

Please document GA+publickey in RHEL/CentOS 7

I found dozens of articles about how to use GA with OpenSSH in RHEL/CentOS, but few that discuss combining GA with public-key auth, and most of those are for RHEL/CentOS 6. The consensus seems to be that /etc/ssh/sshd_config should include:

ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes

I have tried various flavors of 'auth' lines at top and bottom of /etc/pam.d/sshd, but either I get no GA prompt when I have a key, or I get a password prompt (which doesn't work -- we don't set UNIX passwords) instead of a TOTP prompt.

Please document this configuration.

When set to forward_pass entering only PIN doesn't allow next level to prompt for login

From @ThomasHabets on October 10, 2014 8:6

Original issue 139 created by [email protected] on 2012-01-24T21:33:02.000Z:

I don't have any additional modules to pass the login to so I setup pam_unix to handle the second part. However if you only enter a pin then the login fails since pam_unix doesn't bother to prompt. Is there any way to allow pam_unix to prompt for a password if only a pin was entered for pam_google_authenticator? i.e. if the forwarded password doesn't authenticate the user?

Configurations:

/etc/pam.d/common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap

/etc/pam.d/sshd
auth required pam_env.so # [1]
auth required pam_env.so envfile=/etc/default/locale
auth required pam_google_authenticator.so nullok forward_pass
@include common-auth
account required pam_nologin.so
@include common-account
@include common-session
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
@include common-password

Copied from original issue: google/google-authenticator#138

Google Prompt - prompt yes or no on cell phone instead of digiting code

Is there a way to use prompt message acess on the cellphone, (just like you use in gmail) so i just need to tap on my cell autenticating my access? without needing to digit otp?

FreeRADIUS Google Dual Factor Authenticator

From @ThomasHabets on October 10, 2014 8:7

Original issue 326 created by achintha85 on 2013-09-26T06:52:57.000Z:

Hi I've been following this article to setup FreeRADIUS Google Dual Factor Authenticator

http://www.supertechguy.com/help/security/freeradius-google-auth

Hours of testing I still can't get it to work. If my /etc/pam.d/radiusd looks like the following it works well with
the following command

radtest test test localhost 18120 testing123

# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#

# We fall back to the system default in /etc/pam.d/common-*
#

@include common-auth
@include common-account
@include common-password
@include common-session
--------------------------------------------------------

However if it looks like the following 

--------------------------------------------------------
#
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#

# We fall back to the system default in /etc/pam.d/common-*
#

#@include common-auth
#@include common-account
#@include common-password
#@include common-session

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
--------------------------------------------------------

my log file says the following and auth fails.

--------------------------------------------------------
rad_recv: Access-Request packet from host 127.0.0.1 port 43185, id=111, length=56
        User-Name = &quot;test&quot;
        User-Password = &quot;test&quot;
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 18120
Thu Sep 26 16:38:19 2013 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Thu Sep 26 16:38:19 2013 : Info: +- entering group authorize {...}
Thu Sep 26 16:38:19 2013 : Info: ++[preprocess] returns ok
Thu Sep 26 16:38:19 2013 : Info: ++[chap] returns noop
Thu Sep 26 16:38:19 2013 : Info: ++[mschap] returns noop
Thu Sep 26 16:38:19 2013 : Info: ++[digest] returns noop
Thu Sep 26 16:38:19 2013 : Info: [suffix] No '@' in User-Name = &quot;test&quot;, looking up realm NULL
Thu Sep 26 16:38:19 2013 : Info: [suffix] No such realm &quot;NULL&quot;
Thu Sep 26 16:38:19 2013 : Info: ++[suffix] returns noop
Thu Sep 26 16:38:19 2013 : Info: [eap] No EAP-Message, not doing EAP
Thu Sep 26 16:38:19 2013 : Info: ++[eap] returns noop
Thu Sep 26 16:38:19 2013 : Info: [files] users: Matched entry DEFAULT at line 74
Thu Sep 26 16:38:19 2013 : Info: ++[files] returns ok
Thu Sep 26 16:38:19 2013 : Info: ++[expiration] returns noop
Thu Sep 26 16:38:19 2013 : Info: ++[logintime] returns noop
Thu Sep 26 16:38:19 2013 : Info: [pap] WARNING! No &quot;known good&quot; password found for the user.  Authentication may fail because of this.
Thu Sep 26 16:38:19 2013 : Info: ++[pap] returns noop
Thu Sep 26 16:38:19 2013 : Info: Found Auth-Type = PAM
Thu Sep 26 16:38:19 2013 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Thu Sep 26 16:38:19 2013 : Info: +- entering group authenticate {...}
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: using pamauth string &lt;radiusd&gt; for pam.conf lookup
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: function pam_authenticate FAILED for &lt;test&gt;. Reason: Cannot make/remove an entry for the specified session
Thu Sep 26 16:38:19 2013 : Info: ++[pam] returns reject
Thu Sep 26 16:38:19 2013 : Info: Failed to authenticate the user.
Thu Sep 26 16:38:19 2013 : Info: Using Post-Auth-Type Reject
Thu Sep 26 16:38:19 2013 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Thu Sep 26 16:38:19 2013 : Info: +- entering group REJECT {...}
Thu Sep 26 16:38:19 2013 : Info: [attr_filter.access_reject]    expand: %{User-Name} -&gt; test
Thu Sep 26 16:38:19 2013 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Thu Sep 26 16:38:19 2013 : Info: ++[attr_filter.access_reject] returns updated
Thu Sep 26 16:38:19 2013 : Info: Delaying reject of request 0 for 1 seconds
Thu Sep 26 16:38:19 2013 : Debug: Going to the next request
Thu Sep 26 16:38:19 2013 : Debug: Waking up in 0.9 seconds.
Thu Sep 26 16:38:20 2013 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 111 to 127.0.0.1 port 43185
Thu Sep 26 16:38:20 2013 : Debug: Waking up in 4.9 seconds.
Thu Sep 26 16:38:25 2013 : Info: Cleaning up request 0 ID 111 with timestamp +3
Thu Sep 26 16:38:25 2013 : Info: Ready to process requests.
--------------------------------------------------------

Can you please tell me what's the issue here?

I'm using Ubuntu latest

Copied from original issue: google/google-authenticator#325

Allow expansion of PAM environment variables in secret file name

From @ThomasHabets on October 10, 2014 8:6

Original issue 108 created by dwmw2b on 2011-09-26T22:55:27.000Z:

We want to use a system like gitolite with dual-factor authentication using SSH pubkey followed by google-authenticator. This runs everything as a single local UNIX user, and the individual gitolite users have different SSH keys installed, each of which is configured to run a specific gitolite command line which indicates which user to operate as.

Thus, rather than giving all the users a single GA key, we want to be able to use a secret file which depend on the public key that was used.

We achieve this with two relatively simple patches. The first (which I mention for reference) is in OpenSSH, to make it set a PAM environment variable indicating which public key was used to authenticate:
https://bugzilla.mindrot.org/show_bug.cgi?id=983#c43

The google-authenticator patch is relatively simple too. It simply extends the existing expansion of ${HOME}and ${USER} so that it can handle ${PAM:xxxxx} to expand arbitrary PAM variables too.

I can now use it like this:
auth sufficient pam_google_authenticator.so no-drop-privs secret=/etc/google-authenticator/${USER}${PAM:SSH_PUBKEY}

Copied from original issue: google/google-authenticator#108

Try installing PAM module in /usr/lib/pam before /usr/lib, if possible

From @ThomasHabets on October 10, 2014 8:6

Original issue 143 created by [email protected] on 2012-02-10T18:18:12.000Z:

Try installing module in /usr/lib/pam before /usr/lib, if possible

Copied from original issue: google/google-authenticator#142

No "Invalid verification code" received, but validation still fails

From @ThomasHabets on October 10, 2014 8:7

Original issue 373 created by [email protected] on 2014-03-28T22:01:36.000Z:

I've installed pam_google_authenticator on Centos 6.5, and set up a simple pam config to test it out (together with Authen::PAM::Simple) in perl.

The pam config is called "openvpn" and simply contains:
auth required pam_warn.so
auth required pam_google_authenticator.so

My perl script simply tries to authenticate a user ("test") with their google authenticator key.

If I use an old/invalid code, I see the following 2 lines (debug message followed by invalid verification code) in /var/log/secure (as expected)

Mar 28 17:52:55 wall perl: pam_warn(openvpn:auth): function=[pam_sm_authenticate] service=[openvpn] terminal=[<unknown>] user=[test] ruser=[<unknown>] rhost=[<unknown>]
Mar 28 17:52:55 wall openvpn(pam_google_authenticator)[23943]: Invalid verification code

When I use a "valid" code, I see the debug line, but no "Invalid verification code", YET pam still fails to authenticate.

(I've also tried this setup with openvpn and keep having the same issue -- no "Invalid verification code" message, yet I just can't authenticate).

Any ideas?

thanks

Copied from original issue: google/google-authenticator#372

gmake deletes /dev/null on FreeBSD

From @ThomasHabets on October 10, 2014 8:7

Original issue 319 created by fireduck on 2013-09-19T19:48:45.000Z:

What steps will reproduce the problem?

Use FreeBSD 8.0-RELEASE (Probably any modern one as well)
As root in libpam run gmake

What is the expected output?

Expect library to be built and /dev/null to still exist.

What do you see instead?

Library is built, but /dev/null no longer exists.

What version of the product are you using? On what operating system?

Using latest source from git as of 2013.09.19.

Work around:

After doing any make commands, do:

mknod /dev/null c 0 31

This will remake /dev/null. If you don't do this, you'll be unable to ssh in.

Log:

: ls -la /dev/null
crw-rw-rw- 1 root wheel 0, 7 Sep 19 12:43 /dev/null
root@silo /root/google-authenticator.git/libpam
: uname -a
FreeBSD silo.int.fireduck.com 8.0-RELEASE-p4 FreeBSD 8.0-RELEASE-p4 # 0: Mon Jul 12 20:55:11 UTC 2010 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
root@silo /root/google-authenticator.git/libpam
: gmake
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o google-authenticator.o google-authenticator.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o base32.o base32.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o hmac.o hmac.c
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o sha1.o sha1.c
gcc -g -o google-authenticator google-authenticator.o base32.o hmac.o sha1.o
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator.o pam_google_authenticator.c
pam_google_authenticator.c: In function 'request_pass':
pam_google_authenticator.c:776: warning: initialization discards qualifiers from pointer target type
gcc -shared -g -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o demo.o demo.c
gcc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator_demo.o pam_google_authenticator.c
pam_google_authenticator.c: In function 'request_pass':
pam_google_authenticator.c:776: warning: initialization discards qualifiers from pointer target type
gcc -g -rdynamic -o demo demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o
gcc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden
-o pam_google_authenticator_testing.o pam_google_authenticator.c
pam_google_authenticator.c: In function 'request_pass':
pam_google_authenticator.c:776: warning: initialization discards qualifiers from pointer target type
gcc -shared -g -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o base32.o hmac.o sha1.o -lpam
gcc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
gcc -g -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc
root@silo /root/google-authenticator.git/libpam
: ls -la /dev/null
ls: /dev/null: No such file or directory

Copied from original issue: google/google-authenticator#318

Using SFTP with google-authenticator

From @ThomasHabets on October 10, 2014 8:7

Original issue 289 created by ZhangKPC on 2013-07-29T22:21:52.000Z:

What steps will reproduce the problem?

Using an SFTP application such as FileZilla, attempt to login using username/password.
Password will be denied.

What is the expected output? What do you see instead?
Successful login; denied password instead.

What version of the product are you using? On what operating system?
Latest version on CentOS 6 64bit.

Please provide any additional information below.
Is there a way to disable authenicator for port 22 (SFTP) or even better, have an application-specific password?

Copied from original issue: google/google-authenticator#288

Inconsistent window_size description in google-authenticator tool

From @pv2b on July 28, 2015 10:15

When enrolling a new user into google-authenticator, using the google-authenticator tool, this question is asked:

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n)

I was curious as how this works, it turns out that if you choose "y", the following is dropped into the configuration file:

" WINDOW_SIZE 17

This would seem to mean that there are 17 concurrently valid codes, each of them valid for 30 seconds. That would mean a window of 17/2 minutes = 8m30s, a.k.a. +/- about 4 minutes.

If you choose "n", then nothing is written to the file, and the default in the PAM module is used, which is 3 (pam_google_authenticator.c - window_size function). This means a window of 3/2 minutes = 1m30s, a.k.a. +/- 30-60 seconds.

The problem is that the question above confuses window size with maximum acceptable time difference. The 1m30s referred to is a window size, and the ~4 minutes is a maximum acceptable time difference. The maximum acceptable time difference is approximately half the window size.

This could be resolved either by changing the descriptive text of the question, or by changing the behaviour to reduce the WINDOW_SIZE.

Copied from original issue: google/google-authenticator#510

Generate new eight-digit emergency codes for Authenticator for PAM.

From @ThomasHabets on October 10, 2014 8:6

Original issue 248 created by [email protected] on 2013-02-08T00:05:10.000Z:

What steps will reproduce the problem?

Wish to generate new emergency codes for times when I don't have Authenticator on me.
Setting up Authenticator only gives me five codes.
I would like more.

What version of the product are you using? On what operating system?
pam_google_authenticator.so

Please provide any additional information below.
When setting up Google Authenticator for PAM, it gives me five emergency codes. I'd like to generate more as a just-in-case. Is this at all possible?

Copied from original issue: google/google-authenticator#247

Always get "Invalid verification code" under OS X 10.11.6

Installed as described, but i always get the error "Invalid verification code" in /var/log/system.log, when i try a scratch code it works
System: OS X 10.11.6

/etc/ssh/sshd_config
# sshd: auth account password session
auth       optional       pam_krb5.so use_kcminit
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass
auth       required       pam_google_authenticator.so debug nullok echo_verification_code
account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

/var/log/system.log

 Jan  4 10:47:57 my-mac sshd(pam_google_authenticator)[9130]: debug: start of            google_authenticator for my-userid
 Jan  4 10:47:57 my-mac sshd(pam_google_authenticator)[9130]: Secret file permissions    are 0400. Allowed permissions are 0600
 Jan  4 10:47:57 my-mac sshd(pam_google_authenticator)[9130]: debug: "/Users/my-userid/. google_authenticator" read
 Jan  4 10:47:57 my-mac sshd(pam_google_authenticator)[9130]: debug: shared secret in "/ Users/my-userid/.google_authenticator" processed
 Jan  4 10:48:06 my-mac sshd(pam_google_authenticator)[9130]: debug: no scratch code     used from "/Users/my-userid/.google_authenticator"
 Jan  4 10:48:06 my-mac sshd(pam_google_authenticator)[9130]: Invalid verification code

Another try with a scratch code

 Jan  4 10:54:00 my-mac sshd(pam_google_authenticator)[9156]: debug: start of            google_authenticator for my-userid
 Jan  4 10:54:00 my-mac sshd(pam_google_authenticator)[9156]: Secret file permissions    are 0400. Allowed permissions are 0600
 Jan  4 10:54:00 my-mac sshd(pam_google_authenticator)[9156]: debug: "/Users/my-userid/. google_authenticator" read
 Jan  4 10:54:00 my-mac sshd(pam_google_authenticator)[9156]: debug: shared secret in "/ Users/my-userid/.google_authenticator" processed
 Jan  4 10:54:01 my-mac sshd(pam_google_authenticator)[9156]: debug: scratch code        XXXXXXXX used and removed from "/Users/my-userid/.google_authenticator"
 Jan  4 10:54:01 my-mac sshd(pam_google_authenticator)[9156]: Accepted                   google_authenticator for my-userid
 Jan  4 10:54:01 my-mac sshd(pam_google_authenticator)[9156]: debug: "/Users/my-userid/. google_authenticator" written
 Jan  4 10:54:01 my-mac sshd[9154]: Accepted keyboard-interactive/pam for my-userid      from X.X.X.X port 50856 ssh2
 Jan  4 10:54:01 my-mac sshd: my-userid [priv][9154]: USER_PROCESS: 9157 ttys003

Authenticator fails to login into the system with disk-full condition

From @ThomasHabets on October 10, 2014 8:7

Original issue 391 created by yurivict on 2014-06-13T22:40:11.000Z:

When the remote host has the disk-full condition, google-authenticator makes it impossible to fix it remotely, because the login always fails with this message in auth.log:
Jun 13 15:30:38 eagle sshd(pam_google_authenticator)[82081]: Failed to update secret file "/home/yuri/.google_authenticator"

This is a very serious problem for an administrator if such situation happens. It locks the remote administrator out.

Copied from original issue: google/google-authenticator#390

Window Size Bug and Rate Limit Formatting Bug

From @ThomasHabets on October 10, 2014 8:7

Original issue 332 created by SordidArchetype on 2013-10-08T19:00:28.000Z:

What is the problem?

Setting the -W flag on the google-authenticator utility should set the Window Size to it's minimum size. The value it actually sets is -1, which the pam module rejects.
Using the rate limiting switches at the command line of the google-authenticator utility will cause the .google_athenticator secret file to display the RATE_LIMIT directive without a space. (Setting this option interactively will show the space.)

What version of the product are you using? On what operating system?
Latest release on Debian 6 and Debian 7

Please provide any additional information below.

I have created a patch for both issue. The details are as follows...

When running google-authenticator interactively, it asks for the window size to be changed from 1 minute 30 seconds to 4 minutes.
If 4 minutes is chosen, an entry will be added to .google_authenticator secrets file.
If 1 minute 30 seconds is chosen, it stays at this minimum value and does not add an entry to the secrets file.
I have therefore patched the google-authenticator.c source to only add the window size to the secrets file if it has a value greater than -1. This should allow the -W flag to be used with the same effect as selecting 'N' (1 minute and 30 seconds) in interactive mode.
The -w (lowercase) flag can still be used to manually set a larger value.

I have also patched the same source to properly output a space in the RATE_LIMIT directive so that the interactive and non-interactive modes match in behaviour.

My patch is attached to this ticket.

Copied from original issue: google/google-authenticator#331

Update man pages

From @ThomasHabets on October 10, 2014 8:7

Original issue 285 created by tomekczyz on 2013-07-20T23:26:30.000Z:

There are a lot of nice examples in README file (for example with secret= or with nullok) but there is not a word about it in a man. In man there is a link to a wiki page which also does not cover the topic.

It would be nice to copy/paste it to man, or just write that there is a README with some examples. But I would prefer to paste examples to man as not every distribution include README in package (debian has not include it yet) - but is not the point.

Copied from original issue: google/google-authenticator#284

Building google-authenticator on illumos/Solaris fails

From @ThomasHabets on October 10, 2014 8:7

Original issue 317 created by alasdairrr on 2013-09-18T10:16:38.000Z:

What steps will reproduce the problem?

Download google-authenticator/libpam
Type gmake
Watch failure

What is the expected output? What do you see instead?

Expected output is a completed build. What I see instead is:

gcc --std=gnu99 -Wall -O2 -g -fPIC -c -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -fvisibility=hidden -o demo.o demo.c
demo.c: In function 'pam_get_item':
demo.c:97: warning: initialization from incompatible pointer type
demo.c: At top level:
demo.c:106: error: conflicting types for 'pam_set_item'
/usr/include/security/pam_appl.h:175: note: previous declaration of 'pam_set_item' was here

What version of the product are you using? On what operating system?

Applies to 1.0, and the latest git version at the date of filing the bug (a096a628455a05c5ff3b651e6aeb1dad9a646742).

Operating system is SmartOS (everycity_20130902T111649Z) but this applies to all illumos based distributions, as well as OpenSolaris, Solaris 10 and Solaris 11.

Please provide any additional information below.

The problem here is that on Linux, pam_get_item and pam_set_item both have const values on the last argument:

pam_get_item(const pam_handle_t _pamh, int item_type, const void *_item);
pam_set_item(pam_handle_t *pamh, int item_type, const void *item);

On illumos/Solaris, only pam_set_item has a const, the pam_get_item does not:

pam_get_item(const pam_handle_t _pamh, int item_type, void *_item);
pam_set_item(pam_handle_t *pamh, int item_type, const void *item)

I have filed a bug against illumos for this as it seems a little inconsistent, but unfortunately the pam_get_item/pam_set_item are stable committed interfaces, so I doubt this can be changed. The bug FYI is here: https://www.illumos.org/issues/4144

Some attempts have been made to fix building google-authenticator libpam on Solaris already, and the fix is "almost" correct. But the author of the patch has assumed that on Solaris both pam_get_item and pam_set_item don't have const present, which isn't true. To rectify this, please see the attached patch.

This patch should work on all illumos/Solaris variants.

Copied from original issue: google/google-authenticator#316

pam_google_authenticator needs "debug" option for system administrators

From @ThomasHabets on October 10, 2014 8:6

Original issue 102 created by jaearick on 2011-09-09T19:56:26.000Z:

Most PAM modules have a "debug" option that can be added to the appropriate PAM configuration file, eg:

auth required pam_google_authenticator.so debug

for additional syslogging, in order for sysadmins to see what is going on during PAM configuration. pam_google_authenticator lacks this feature. The attached patch file in "diff -c" format adds this feature. Example output would look like:

sshd(pam_google_authenticator)[19880]: debug: start of google_authenticator for jaearick
sshd(pam_google_authenticator)[19880]: debug: "/export/home/admin/jaearick/.google_authenticator" read
sshd(pam_google_authenticator)[19880]: debug: shared secret in "/export/home/admin/jaearick/.google_authenticator" processed
sshd(pam_google_authenticator)[19880]: debug: verification code 270445 received
sshd(pam_google_authenticator)[19880]: debug: checking scratch codes in "/export/home/admin/jaearick/.google_authenticator"
sshd(pam_google_authenticator)[19880]: debug: no scratch code used from "/export/home/admin/jaearick/.google_authenticator"
sshd(pam_google_authenticator)[19880]: debug: "/export/home/admin/jaearick/.google_authenticator" rewritten
sshd(pam_google_authenticator)[19880]: debug: end of google_authenticator for jaearick

What version of the product are you using? On what operating system?

SUSE 11, Linux 2.6.32.45-0.3, x86_x64
Redhat 6.1

Please provide any additional information below.

While I did not really need a debug option with SUSE 11 (the pam module worked), it is proving to be very useful while trying to get Redhat 6.1 PAM configuration going.

Copied from original issue: google/google-authenticator#102

the demo and unittest code in PAM generates compiler errors

From @ThomasHabets on October 10, 2014 8:7

Original issue 381 created by dterrell on 2014-04-18T19:54:31.000Z:

What steps will reproduce the problem?

make clean && make in the libpam directory

What is the expected output? What do you see instead?

no errors/warnings are expected. instead I see a number of these errors:
demo.c:88:36: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
memcpy(item, &service, sizeof(&service));

What version of the product are you using? On what operating system?

Ubuntu linux. master and 1.0 download both have the same problem.

Please provide any additional information below.

Trivial patch attached.

Copied from original issue: google/google-authenticator#380

Use libqrencode also on OSX

From @ThomasHabets on October 10, 2014 8:7

Original issue 257 created by Alexander.Schneider on 2013-03-31T11:36:02.000Z:

I have installed libqrencode on my OSX system (10.8.2) with brew, and therefor the needed library is available on the system.
Currently the google-authenticator does not use it, because of a different name of the lib.

Attached is a easy patch to solve this issue.

Copied from original issue: google/google-authenticator#256

Trusted computers forgotten when dual booting.

From @Zerophase on July 20, 2016 18:14

If I boot into Windows and trust the computer, and then boot into Linux and trust the computer Windows on the computer will no longer be trusted. The same thing happens with virtual machines.

Chrome version: 51.0.2704.106

Copied from original issue: google/google-authenticator#563

Suggest that users copy the GA seed key directly rather than using the URL

Going through Google to produce a scannable QR code seems like an iffy bet, as it embeds lots of security information we'd prefer neither Google nor anyone sniffing (perhaps with Blue Coat or other MitM proxy) capture. The README should probably suggest paranoid users manually set up their TOTP authenticator with the seed key instead.

PAM module issuer

From @ThomasHabets on October 10, 2014 8:7

Original issue 392 created by [email protected] on 2014-06-18T04:24:13.000Z:

Running google-authenticator should ask for issuer so that the generated QR code URL contains it and Google Authenticator displays an issuer (which actually looks like a title/name) instead of remaining blank.

What version of the product are you using? On what operating system?
Ubuntu 12.04

Copied from original issue: google/google-authenticator#391

Plans to support SHA256?

From @ThomasHabets on October 10, 2014 8:7

Original issue 393 created by synikal on 2014-06-19T07:29:02.000Z:

Hi all,

Just wondering if there were plans to support SHA256? I'd really like to use existing tokens with this module and I think thats the prerequisite.

Copied from original issue: google/google-authenticator#392

Failed to change user id to "root"

From @ThomasHabets on October 10, 2014 8:6

Original issue 203 created by william2003 on 2012-08-21T03:46:08.000Z:

What steps will reproduce the problem?

Install google-authenticator on Ubuntu host
Copy google-authenticator & pam_google_authenticator.so to ESXi 5.0 host
Generate token using google-authenticator which stores /.google-authenticator
Modify /etc/pam.d/system-auth
# %PAM-1.0

auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_access.so
auth required /lib/security/$ISA/pam_per_user.so /etc/security/login.map
auth required /lib/security/$ISA/pam_google_authenticator.so secret=/.google-authenticator
account required /lib/security/$ISA/pam_per_user.so /etc/security/login.map

session required /lib/security/$ISA/pam_per_user.so /etc/security/login.map

password include passwd

Update /etc/ssh/sshd_config with ChallengeResponseAuthentication yes
Reload SSH /etc/init.d/SSH restart
Login

What is the expected output? What do you see instead?
Expecting system to accept password and prompt for code, but just keeps prompting for login

/var/log/syslog shows the following error message:
2012-08-21T03:40:00Z sshd(pam_google_authenticator)[1355443]: Failed to change user id to "root"

What version of the product are you using? On what operating system?
Latest version, trying this on VMware ESXi 5.0

Please provide any additional information below.

Copied from original issue: google/google-authenticator#202

Store TOTP secret in LDAP

From @ThomasHabets on October 10, 2014 8:6

Original issue 52 created by [email protected] on 2011-03-18T04:50:12.000Z:

For distributed systems where home directories are mounted on NFS with root_squash, it would be ideal to allow the google-authenticator.so PAM to query LDAP for the appropriate TOTP/HOTP secrets rather than storing them locally on each server.

Copied from original issue: google/google-authenticator#52

Specific google_authenticator key generation options do not allow auth

From @ThomasHabets on October 10, 2014 8:7

Original issue 394 created by acesmythe on 2014-06-27T00:31:33.000Z:

What steps will reproduce the problem?

(CentOS 6.5) Install via the steps listed at http://www.techrepublic.com/blog/linux-and-open-source/two-factor-ssh-authentication-via-google-secures-linux-logins/ (Short version; get the git, compile, edit the necessary pam and sshd configs, restart sshd)
Generate new time-based codes with google_authenticator enabling either rate-limiting or disallowing multiple uses

What is the expected output? What do you see instead?

If either of those options are selected, the generated codes do not allow me to authenticate. If they are both (and only both) disabled, authentication works fine (showing that this is not a time-related issue).

An interesting note is that even the backup codes fail to function with this issue. With both items disabled, backup codes work fine.

What version of the product are you using? On what operating system?

CentOS 6.5
Google Authenticator PAM module (1d0bf2e6cff7) from https://code.google.com/p/google-authenticator/source/browse/?r=1d0bf2e6cff7a5e503580d29ca33634ce09386ca
OpenSSH_5.3p1

Please provide any additional information below.

Copied from original issue: google/google-authenticator#393

Does not support 8 digits codes

From @ThomasHabets on October 10, 2014 8:7

Original issue 327 created by charly.rohart on 2013-09-26T14:25:45.000Z:

Can you add support for 8 Digits OTP codes?

6 digits is the most common use Ok - but 8 is frequently preferred when strong security is required.
The OATH internal code is the same in both - just a minor adjustment is required to support 8 digits.
Is is planned in a near future in the roadmap?

Copied from original issue: google/google-authenticator#326

TEST_SKEW fails if user has a .google_authenticator file

From @ThomasHabets on October 10, 2014 8:7

Original issue 280 created by sweharris on 2013-06-27T22:30:50.000Z:

What steps will reproduce the problem?

Create a ~/.google_authenticator file
make test

What is the expected output? What do you see instead?
Test fails in TEST_SKEW

This section in pam_google_authenticator_unittest.c
assert(pam_sm_open_session(NULL, 0, 1,
(const char *[]){ "noskewadj", 0 }) ==

does not contain the secret=/tmp/..... value from targv[0] and so if the user building the code has a defined authenticator then the test may fail.

Copied from original issue: google/google-authenticator#279

Compilation of (part of) libpam fails on SunOS 5.11 oi_151a7 (OpenIndiana)

From @ThomasHabets on October 10, 2014 8:6

Original issue 234 created by olaf.lists on 2012-12-19T09:50:55.000Z:

-> What steps will reproduce the problem?

Download either current repository or released package
2a. CC=/opt/gcc/4.4.4/bin/gcc make (to use gcc-illumos 4.4.4)
2b modify Makefile to remove -fvisibility=hidden option, then "make" (to use gcc 3.4.3)

-> What is the expected output? What do you see instead?

Compilation complete expected, but instead:

olaf@openindiana:~/tools/libpam-google-authenticator-1.0$ CC=/opt/gcc/4.4.4/bin/gcc make
/opt/gcc/4.4.4/bin/gcc --std=gnu99 -Wall -O2 -g -fPIC -c -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -fvisibility=hidden -o google-authenticator.o google-authenticator.c
/opt/gcc/4.4.4/bin/gcc --std=gnu99 -Wall -O2 -g -fPIC -c -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -fvisibility=hidden -o base32.o base32.c
/opt/gcc/4.4.4/bin/gcc --std=gnu99 -Wall -O2 -g -fPIC -c -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -fvisibility=hidden -o hmac.o hmac.c
/opt/gcc/4.4.4/bin/gcc --std=gnu99 -Wall -O2 -g -fPIC -c -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -fvisibility=hidden -o sha1.o sha1.c
/opt/gcc/4.4.4/bin/gcc -g -mimpure-text -o google-authenticator google-authenticator.o base32.o hmac.o sha1.o -ldl
/opt/gcc/4.4.4/bin/gcc --std=gnu99 -Wall -O2 -g -fPIC -c -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -fvisibility=hidden -o pam_google_authenticator.o pam_google_authenticator.c
pam_google_authenticator.c: In function ‘converse’:
pam_google_authenticator.c:121: warning: passing argument 2 of ‘conv->conv’ from incompatible pointer type
pam_google_authenticator.c:121: note: expected ‘struct pam_message *’ but argument is of type ‘const struct pam_message *’
pam_google_authenticator.c: In function ‘get_first_pass’:
pam_google_authenticator.c:765: warning: passing argument 3 of ‘pam_get_item’ from incompatible pointer type
/usr/include/security/pam_appl.h:186: note: expected ‘void *’ but argument is of type ‘const void *’
pam_google_authenticator.c: In function ‘request_pass’:
pam_google_authenticator.c:776: warning: initialization discards qualifiers from pointer target type
/opt/gcc/4.4.4/bin/gcc -shared -g -mimpure-text -o pam_google_authenticator.so pam_google_authenticator.o base32.o hmac.o sha1.o -lpam
/opt/gcc/4.4.4/bin/gcc --std=gnu99 -Wall -O2 -g -fPIC -c -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -fvisibility=hidden -o demo.o demo.c
demo.c: In function ‘pam_get_item’:
demo.c:97: warning: initialization from incompatible pointer type
demo.c: At top level:
demo.c:106: error: conflicting types for ‘pam_set_item’
/usr/include/security/pam_appl.h:175: note: previous declaration of ‘pam_set_item’ was here

make: *** [demo.o] Error 1

that means, apparently important warnings in the pam_google_authenticator.c file and an real error in demo.c.
In a software that concerns security, I would feel safer if warnings were all taken care of.

-> What version of the product are you using? On what operating system?
Released version or current development version on SunOS 5.11 oi_151a7 (OpenIndiana)

Copied from original issue: google/google-authenticator#233

Generate QR code locally using JS or something if qrencode is not available

From @ThomasHabets on October 10, 2014 8:6

Original issue 216 created by [email protected] on 2012-10-11T19:04:00.000Z:

When you run the google-authticator it generates a url that you pop in your browser let's say it was http://example.com/bla?code=foo, even though it's google's servers you're still sending it to their servers which may or may not be wanted by most users.

I realise you guys want to make use of your google graph engine however many people won't be happy with sending all their secret keys to google.

Instead of providing a url that sends the secret code to googles servers, why not use javascript to generate the QR code and put the secret value in a hash value such as
http://example.com/qr#mysupersecretkeyhere
so the javascript pulls it out and generates the qr code and it doesn't get sent over the network. I hacked together a version of this from some public javascript qr scripts that shouldn't be too hard to find/write.

Copied from original issue: google/google-authenticator#215

Display QR code without generating a new secret key

From @ShmuelLevine on August 23, 2016 15:30

Presently, I have not found any way to persuade google-authenticator to display the QR code for my user account without having to generate a new secret key.

I've just recently gotten a new phone and while trying to set up google authenticator on the new phone, I was looking for a way to simplify adding this account to the mobile app without changing the secret key (which would have caused my other devices to stop working properly).

I am well aware that I can obtain the secret key from the ~/.google-authenticator file. However, given that there is already an interface with libqrencode and it works properly with a newly-generated key, I would like to see the same functionality made available to display an existing secret key as well.

Copied from original issue: google/google-authenticator#564

pam_ google-authenticator $ pamtester: Cannot make/remove an entry for the specified session

From @ThomasHabets on October 10, 2014 8:6

Original issue 138 created by [email protected] on 2012-01-18T23:10:09.000Z:

I recently compile pam_ google-authenticator and i am trying to tested with pamtester using my google account and it tells me:

[root@hserverdev ~]# pamtester login [email protected] open_session
$ pamtester: Cannot make/remove an entry for the specified session

My system is rhel 5.7 and rpms are

[root@hserverdev ~]# rpm -qa "pam*"
pam_ccreds-3-5
pam-devel-0.99.6.2-6.el5_5.2
pam_smb-1.1.7-7.2.1
pam_pkcs11-0.5.3-23
pam-google-authenticator-1.0-1
pam_passwdqc-1.0.2-1.2.2
pam_passwdqc-1.0.2-1.2.2
pam_smb-1.1.7-7.2.1
pam-0.99.6.2-6.el5_5.2
pamtester-0.1.2-1.el5.rf
pam_krb5-2.2.14-21.el5

Can you help me?

Copied from original issue: google/google-authenticator#137

`make test` FAILs at error: "Assertion `num_prompts_shown == expected_prompts_shown' failed.; Invalid verification code"

From @ghost on December 28, 2014 4:0

checking out latest source

git clone https://code.google.com/p/google-authenticator
git log | head
    commit 1d0bf2e6cff7a5e503580d29ca33634ce09386ca
    Author: Thomas Habets <[email protected]>
    Date:   Fri Feb 14 17:17:42 2014 +0000

        Add space in config file between quote and RATE_LIMIT, like spec says.

    commit 86af4c32a2940b13397cac52eee435e6acedb8a5
    Author: Thomas Habets <[email protected]>
    Date:   Thu Jan 30 15:17:38 2014 +0000

building on

lsb_release -rd
    Description:    openSUSE 13.2 (Harlequin) (x86_64)
    Release:        13.2

with

gcc -V
    gcc: error: unrecognized command line option ‘-V’
    gcc: fatal error: no input files
    compilation terminated.
    [1083][root@onyxEdgar: ../src/google-authenticator]$ gcc -v
    Using built-in specs.
    COLLECT_GCC=gcc
    COLLECT_LTO_WRAPPER=/usr/lib64/gcc/x86_64-suse-linux/5/lto-wrapper
    Target: x86_64-suse-linux
    Configured with: ../configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib64 --libexecdir=/usr/lib64 --enable-languages=c,c++,objc,fortran,obj-c++,java,ada,go --with-gxx-include-dir=/usr/include/c++/5 --enable-ssp --disable-libssp --disable-libvtv --disable-plugin --with-bugurl=http://bugs.opensuse.org/ --with-pkgversion='SUSE Linux' --disable-libgcj --with-slibdir=/lib64 --with-system-zlib --enable-__cxa_atexit --enable-libstdcxx-allocator=new --disable-libstdcxx-pch --enable-version-specific-runtime-libs --enable-linker-build-id --enable-linux-futex --program-suffix=-5 --without-system-libunwind --enable-multilib --with-arch-32=i586 --with-tune=generic --build=x86_64-suse-linux --host=x86_64-suse-linux
    Thread model: posix
    gcc version 5.0.0 20141215 (experimental) [trunk revision 218749] (SUSE Linux)

completes ok

cd google-authenticator/libpam
make
    (no errors)

but test FAILs

make test
    ./pam_google_authenticator_unittest
    Testing base32 encoding
    Testing base32 decoding
    Testing HMAC_SHA1
    Loading PAM module

    Running tests, querying for verification code
    Testing failed login attempt
    Testing required number of digits
    Testing a blank response
    Test handling of missing state files
    Testing successful login
    Testing WINDOW_SIZE option
    Testing DISALLOW_REUSE option
    Testing RATE_LIMIT option
    Testing TIME_SKEW
    pam_google_authenticator_unittest: pam_google_authenticator_unittest.c:137: verify_prompts_shown: Assertion `num_prompts_shown == expected_prompts_shown' failed.
    Invalid verification code
    Makefile:36: recipe for target 'test' failed
    make: *** [test] Error 1

seems to have been raised before,

[CentOS] CentOS 5.9 and google-authenticator
http://lists.centos.org/pipermail/centos/2013-June/135586.html

but, afaict, no resolution there

Copied from original issue: google/google-authenticator#470

Add build requirements to README

sudo apt-get install make libpam0g-dev for Ubuntu.

pam_google_authenticator.so on RHEL 6.6 never prompts

From @rpural on May 22, 2015 19:34

I have pam_google_authenticator.so working in RedHat RHEL 5.11, but in 6.6, it never prompts.

After the completed make install, ssh signon creates the following log messages:

May 22 13:45:55 rofrpn801a sshd[10770]: PAM unable to dlopen(/lib64/security/pam-google-authenticator.so): /lib64/security/pam-google-authe
nticator.so: cannot open shared object file: No such file or directory
May 22 13:45:55 rofrpn801a sshd[10770]: PAM adding faulty module: /lib64/security/pam-google-authenticator.so
May 22 13:45:58 rofrpn801a sshd[10772]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=r0199176.ma
yo.edu user=ts00086
May 22 13:45:58 rofrpn801a sshd[10772]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=r0199176.may
o.edu user=ts00086
May 22 13:45:58 rofrpn801a sshd[10770]: Accepted keyboard-interactive/pam for ts00086 from 172.23.189.230 port 60087 ssh2
May 22 13:45:58 rofrpn801a sshd[10770]: pam_unix(sshd:session): session opened for user ts00086 by (uid=0)

Ok... So it can't find the file. I created a symlink where pam expected to find the file:

ln -s /usr/local/lib/security/pam_google_authenticator.so /lib64/security/pam_google_authenticator.so

And tried again. Now there are no error messages at all, ssh never prompts for the authentication code, and still lets me log in with just the password:

May 22 13:49:19 rofrpn801a sshd[11351]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=r0199176.ma
yo.edu user=ts00086
May 22 13:49:19 rofrpn801a sshd[11351]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=r0199176.may
o.edu user=ts00086
May 22 13:49:19 rofrpn801a sshd[11349]: Accepted keyboard-interactive/pam for ts00086 from 172.23.189.230 port 60100 ssh2

I've run out of ideas. Any idea why 6.6 hates google_authenticator? Is there any way to turn on more debugging output?

Copied from original issue: google/google-authenticator#502

google / google-authenticator-libpam Goto Github PK

google-authenticator-libpam's Introduction

Google Authenticator PAM module

Build & install

Setting up the PAM module for your system

Setting up a user

Encrypted home directories

Module options

secret=/path/to/secret/file

authtok_prompt=prompt

user=some-user

no_strict_owner

allowed_perm=0nnn

debug

try_first_pass / use_first_pass / forward_pass

noskewadj

no_increment_hotp

nullok

echo_verification_code

grace_period=seconds

allow_readonly

google-authenticator-libpam's People

Contributors

Stargazers

Watchers

Forkers

google-authenticator-libpam's Issues

Compilation complete expected, but instead:

make: *** [demo.o] Error 1

Recommend Projects

Recommend Topics

Recommend Org