Home / server / Questions / 655289
Accepted
Jeff Leyser
Asked: 2014-12-30 12:39:26 +0800 CST

PAM, RADIUS, Google Authenticator and Two Factor Auth

  • 772

I have setup FreeRADIUS, PAM and the Google Authtenicator. FreeRADIUS calls PAM, which in turn calls the Google pam_google_authenticator.so libary. That all works successfully.

However, that's not really 2 factor auth, as all one needs is the OTP from the Google App. To get two 2FA, I want to use the local Linux password. Since this is through RADIUS, I can't prompt for both passwords, and need to combine them in one. According the Google Auth README, and various blogs I found, I should do this in PAM:

   auth requisite pam_google_authenticator.so forward_pass
   auth required pam_unix.so use_first_pass

And then I can put the password and OTP at the same prompt, e.g. MyPass123456

But it never works. With debugging on, I can see that pam_unix.so checks and accepts the password from the user, but then fails anyway. If I remove that second line, or change 'auth' to 'account' (one suggestion I found), auth works, but the local password is simply ignored.

Am I missing something in my PAM config?

centos

4 Answers

  1. Best Answer

    Lot's of Googling lead me to https://bugs.launchpad.net/percona-server/+bug/1274821 which describes a similar problem. As documented there, this worked:

     auth requisite pam_google_authenticator.so forward_pass
 auth required pam_unix.so use_first_pass  
 account required pam_unix.so audit
 account required pam_permit.so

    Although why that works remains a mystery to me, as the MySQL issue is about using PAM as non-root, and I have FreeRADIUS setup to run as root.

    • 1

  2. If you are changing "auth" to "account" then pam_unix is not used for authentication anymore.

    What do you mean with

    pam_unix.so checks and accepts the password from the user, but then fails anyway

    How does your pam configuration for this service look like? As "required" means the stack is processed till the end, maybe it breaks after pam_unix.

    You might also think about using another two factor auth backend, which handles these two factors by itself... https://www.howtoforge.com/two-factor-authentication-with-otp-using-privacyidea-and-freeradius-on-centos

    • 0

  3. Try this configuration:

       auth requisite  pam_google_authenticator.so forward_pass
   auth sufficient pam_unix.so use_first_pass

    It's really hard to tell, though, without seeing all auth entries in your pam config file.

    • 0

  4. Can you give your entire pam config file ? If you use pam_deny.so after pam_unix.so you have to change your config to:

    auth [success=1 default=ignore]    pam_unix.so use_first_pass

    It specify that the next line must be skipped if the module return success.

    The entire config for auth:

    auth requisite       pam_google_authenticator.so forward_pass
auth [success=1 default=ignore]    pam_unix.so use_first_pass
auth requisite           pam_deny.so
auth required            pam_permit.so

    First, the pam_google_authenticator module extracts the TOTP and verify it.

    Second, the pam_unix module verify the password and if it succeeded skip the third line.

    • 0