When set to forward_pass entering only PIN doesn't allow next level to prompt for login #138
Comments
|
Comment #1 originally posted by markus@google.com on 2012-01-24T21:44:59.000Z: Do you still experience this problem, if you don't allow "nullok_secure" for pam_unix? That would definitely be a useful data point. It is conceivable that pam_unix cannot tell the difference between the user having entered no password (yet), and the user trying to enter a blank password. |
|
Comment #2 originally posted by shinji@elite-systems.org on 2012-01-24T21:45:00.000Z: This is all that comes up in the log for this. Jan 24 16:41:47 icarus sshd[6539]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=test |
|
Comment #3 originally posted by shinji@elite-systems.org on 2012-01-24T22:36:50.000Z: Taking out nullok_secure or even just replacing it with nullok (the non-secure version) doesn't change anything. It just looks around to the prompt from pam_google_authenticator |
|
Comment #4 originally posted by shinji@elite-systems.org on 2012-01-25T18:00:53.000Z: I thought I had it figured out but I mis-understood the keywording... It looks like based on the descriptions though it is pam_google_authenticator that is failing and killing the chain for sure. When I remove forward_pass from pam_google_authenticator it goes to the password prompt (from pam_unix) as expected and then since I put in a random and bad pin on the first prompt it loops back around as it should. I had left try_first_pass on the pam_unix line. Maybe we need to implement it where the prompt that is normally expecting both a password and a pin can parse it so that if the length is exactly 6 or 8 characters long it tests it as a pin or a otp and then succeeds with the next module prompting as expected? At the moment it seems to fail and pam_unix is not kicking in due to that. (yes I know long question) |
|
This issue was moved to google/google-authenticator-libpam#37 |
Original issue 139 created by shinji@elite-systems.org on 2012-01-24T21:33:02.000Z:
I don't have any additional modules to pass the login to so I setup pam_unix to handle the second part. However if you only enter a pin then the login fails since pam_unix doesn't bother to prompt. Is there any way to allow pam_unix to prompt for a password if only a pin was entered for pam_google_authenticator? i.e. if the forwarded password doesn't authenticate the user?
Configurations:
/etc/pam.d/common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
/etc/pam.d/sshd
auth required pam_env.so # [1]
auth required pam_env.so envfile=/etc/default/locale
auth required pam_google_authenticator.so nullok forward_pass
@include common-auth
account required pam_nologin.so
@include common-account
@include common-session
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
@include common-password
The text was updated successfully, but these errors were encountered: