-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SELinux] TOTP don't seems to work #26
Comments
The scratch codes can help if for some reason you no longer have the TOTP app or it no longer works correctly. Each code can only be used once, however. To disable TOTP for your account you can use the Once you've unlocked yourself, to be able to help you better, please describe the steps you followed to enable TOTP on your account. |
Ok i tried the I'm running Centos8 in VM. My timedate seems update. I used the command and get the result: Warning: pasting the following URL into your browser exposes the OTP secret to Google:
*****
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: ****..***
Enter code from app (-1 to skip): ******
Code confirmed
Your emergency scratch codes are:
*******
*******
*******
*******
******* |
Did you install |
nope i did install here is the login exemple: $ bssh --osh selfMFAResetTOTP
*------------------------------------------------------------------------------*
|THIS IS A PRIVATE COMPUTER SYSTEM, UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED.|
|ALL CONNECTIONS ARE LOGGED. IF YOU ARE NOT AUTHORIZED, DISCONNECT NOW. |
*------------------------------------------------------------------------------*
Enter passphrase for key '/home/******/.ssh/id_ed25519':
Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).
Verification code:
Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).
Verification code:
Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).
Verification code:
***@***.***.***.***: Permission denied (keyboard-interactive). |
I just checked. |
There might be something wrong on the configuration of the google_authenticator PAM module on your centos machine. When there is something wrong in its config, it'll always deny authentication. Centos 8 is part of the OSes that are automatically tested on each release, including for MFA, so it should work if the configuration is ok and the proper packages are installed. If there is the "debug" keyword on the google_authenticator pam module line in |
There is no real equivalent of system logs in CentOs8 can you be more specific in which log it will be store. I guess debug should be add here: |
Just booted a brand new CentOS 8 VM to be sure, and I can indeed get OTP to work by following the documentation (just wanted to be sure). You are right, the "debug" keyword is to be added to the line you specified. When you've done this, your PAM will log using your system's syslog, under the "debug" level. Here's what I get with mine:
The location of the file will depend on your system's syslog configuration.
(at the end of /etc/syslog-ng/syslog-ng.conf) |
Indeed, it seems your user can't write to its own home directory. I suppose you fixed it successfully? |
Nope. I change folder permission other than 700 the TOTP check is refuse. |
How can i be sure the pam process is running under my user? |
It's running under your user when Line 878 in b0eaf15
You can try it manually this way, running it directly on your centos machine under your user:
|
It worked. |
Did change selinux on your centos8 VM? |
I changed selinux to permissive and it worked. |
Ah! Interesting. This isn't catched during the tests because we use Docker to test on several distro flavors, so of course SELinux doesn't apply there. We never stumbled upon that because we use Debian in production. Falling back to |
Thank for all your help. I'll be happy to put it in production when the policy will be written. |
|
I set TOTP on my account.
But after the sucessfull registration, all my verification are refused.
Is there any way to get my account back?
With the scratch code?
The text was updated successfully, but these errors were encountered: