3

I have setup FreeRADIUS, PAM and the Google Authtenicator. FreeRADIUS calls PAM, which in turn calls the Google pam_google_authenticator.so libary. That all works successfully.

However, that's not really 2 factor auth, as all one needs is the OTP from the Google App. To get two 2FA, I want to use the local Linux password. Since this is through RADIUS, I can't prompt for both passwords, and need to combine them in one. According the Google Auth README, and various blogs I found, I should do this in PAM:

 auth requisite pam_google_authenticator.so forward_pass auth required pam_unix.so use_first_pass

And then I can put the password and OTP at the same prompt, e.g. MyPass123456

But it never works. With debugging on, I can see that pam_unix.so checks and accepts the password from the user, but then fails anyway. If I remove that second line, or change 'auth' to 'account' (one suggestion I found), auth works, but the local password is simply ignored.

Am I missing something in my PAM config?

Improve this question
1
  • Good tutorial i have seen is from below link. cyberciti.biz/open-source/… However it is not mentioned required packages need to be installed before installing and configuring. However you may need to install following package. Compatible epel repository will help you to install the google-authenticator using tun install comand. yum install pam-devel Commented May 26, 2018 at 9:15

4 Answers 4

Reset to default
1

Lot's of Googling lead me to https://bugs.launchpad.net/percona-server/+bug/1274821 which describes a similar problem. As documented there, this worked:

 auth requisite pam_google_authenticator.so forward_pass auth required pam_unix.so use_first_pass account required pam_unix.so audit account required pam_permit.so

Although why that works remains a mystery to me, as the MySQL issue is about using PAM as non-root, and I have FreeRADIUS setup to run as root.

Improve this answer
0

If you are changing "auth" to "account" then pam_unix is not used for authentication anymore.

What do you mean with

pam_unix.so checks and accepts the password from the user, but then fails anyway

How does your pam configuration for this service look like? As "required" means the stack is processed till the end, maybe it breaks after pam_unix.

You might also think about using another two factor auth backend, which handles these two factors by itself... https://www.howtoforge.com/two-factor-authentication-with-otp-using-privacyidea-and-freeradius-on-centos

Improve this answer
0

Try this configuration:

 auth requisite pam_google_authenticator.so forward_pass auth sufficient pam_unix.so use_first_pass

It's really hard to tell, though, without seeing all auth entries in your pam config file.

Improve this answer
1
  • If it breaks after "auth pam_unix" then this would work out. The question is, why it would break there. Commented Dec 30, 2014 at 20:36
0

Can you give your entire pam config file ? If you use pam_deny.so after pam_unix.so you have to change your config to:

auth [success=1 default=ignore] pam_unix.so use_first_pass

It specify that the next line must be skipped if the module return success.

The entire config for auth:

auth requisite pam_google_authenticator.so forward_pass auth [success=1 default=ignore] pam_unix.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so

First, the pam_google_authenticator module extracts the TOTP and verify it.

Second, the pam_unix module verify the password and if it succeeded skip the third line.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.