PAM, RADIUS, Google Authenticator and Two Factor Auth

centos authentication pam two-factor
6,393

Lot's of Googling lead me to https://bugs.launchpad.net/percona-server/+bug/1274821 which describes a similar problem. As documented there, this worked:

 auth requisite pam_google_authenticator.so forward_pass
 auth required pam_unix.so use_first_pass  
 account required pam_unix.so audit
 account required pam_permit.so

Although why that works remains a mystery to me, as the MySQL issue is about using PAM as non-root, and I have FreeRADIUS setup to run as root.

Share:
6,393

Related videos on Youtube

Jeff Leyser
Author by

Jeff Leyser

Linux SysAdmin, software development tools expert (JIRA, Subversion, etc.), reluctant Windows user!

Updated on September 18, 2022

Comments

  • Jeff Leyser
    Jeff Leyser over 1 year

    I have setup FreeRADIUS, PAM and the Google Authtenicator. FreeRADIUS calls PAM, which in turn calls the Google pam_google_authenticator.so libary. That all works successfully.

    However, that's not really 2 factor auth, as all one needs is the OTP from the Google App. To get two 2FA, I want to use the local Linux password. Since this is through RADIUS, I can't prompt for both passwords, and need to combine them in one. According the Google Auth README, and various blogs I found, I should do this in PAM:

       auth requisite pam_google_authenticator.so forward_pass
   auth required pam_unix.so use_first_pass

    And then I can put the password and OTP at the same prompt, e.g. MyPass123456

    But it never works. With debugging on, I can see that pam_unix.so checks and accepts the password from the user, but then fails anyway. If I remove that second line, or change 'auth' to 'account' (one suggestion I found), auth works, but the local password is simply ignored.

    Am I missing something in my PAM config?

    • Sanjaya
      Sanjaya almost 6 years
      Good tutorial i have seen is from below link. cyberciti.biz/open-source/… However it is not mentioned required packages need to be installed before installing and configuring. However you may need to install following package. Compatible epel repository will help you to install the google-authenticator using tun install comand. yum install pam-devel
  • cornelinux
    cornelinux over 9 years
    If it breaks after "auth pam_unix" then this would work out. The question is, why it would break there.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to I authenticate with Dovecot + IMAP + PAM on CentOS?
pam_ldap and ldaps can't contact ldap server
LDAP authentication on CentOS 7
pam_faillock and AD/CentOS 7.2
How to make changes to pam config such that further execution of authconfig will not overwrite them?
Script fails to run on login when using pam_exec.so to run a script as root
pam authentication in python without root privileges
google authenticator for certain users
LDAP/Pam: No passwd entry for user while getent passwd shows all LDAP users
Login on local terminal without password