pam module doesn't allow for incremental deployment about google-authenticator HOT 11 CLOSED

Comment #1 originally posted by Abubakar.Masood on 2011-01-28T16:24:07.000Z:

I tried adding the code above in pam_google_authenticator.c. After adding, i made a new copy of google-authenticator for 1 user on ma computer, configured google-authenticator with ssh access. But it still looks like it does not allow me to access the not configured user through ssh. Anything I am missing?

from google-authenticator.

Comment #2 originally posted by valient on 2011-01-29T21:55:27.000Z:

The code is contained in an #ifdef which is not enabled by default. You'll need to add "#define ALLOW_UNCONFIGURED_USERS" to the top of the file to make it work. Or else remove the #ifdef and #endif lines from the patch..

from google-authenticator.

Comment #3 originally posted by jeremy.kitchen on 2011-02-16T20:50:58.000Z:

this patch is fine, but I think it should be a module parameter and not a compile time thing.

auth required pam_google_authenticator.so pass_if_unconfigured

something like that.

from google-authenticator.

Comment #4 originally posted by [email protected] on 2011-02-21T00:19:44.000Z:

Seems to be broken for su, on Debian Squeeze with Lenny kernel. According to strace (strace is setuid root so I can strace setuid root programs):

[...]
setfsuid32(0) = 0
setfsuid32(0) = 0
open("/root/.google_authenticator", O_RDONLY) = -1 ENOENT (No such file or directory)
[...]
access("/root/.google_authenticator", F_OK) = -1 EACCES (Permission denied)
[...]

Still trying to understand why access(...) returns EACCES instead of ENOENT. Maybe a kernel issue with my older kernel?

Everything works fine if /root/.google_authenticator exists.

from google-authenticator.

Comment #5 originally posted by valient on 2011-02-24T00:41:28.000Z:

Attached is a patch that adds two arguments to the pam module:

1. "pass_unconfigured" : if this is specified, then the pam module will ignore users that do not have authenticator setup (it will return success).
2. "suffix=[xxx]" : for adding a suffix to the user's homedir path. There is a separate ticket open for this, but this is how I deal with encrypted home directories.

For example, if the following is specified in a pam config file:

auth required pam_google_authenticator.so pass_unconfigured suffix=.auth

then when a user "foo" attempts to gain access, the module will look for "/home/foo.auth/.google_authenticator", and will return success if that file does not exist.

This patch is a diff of the head against my branch, so it also contains a one-line bug fix for blocked code handling.

from google-authenticator.

Comment #6 originally posted by [email protected] on 2011-02-27T23:26:09.000Z:

At quick glance, I think the patch in comment # 5 will suffer from the same problem I have in comment # 4. I just reproduced this problem on an up-to-date Ubuntu system. Still investigating.

from google-authenticator.

Comment #7 originally posted by Abubakar.Masood on 2011-02-28T15:07:19.000Z:

This problem can be solved by adding a CONFIG FILE (which could be user defined) and adding the code on the first post in an if statement which reads from the config file. I have added a config file with settings for allowing/not allowing unconfigured users and it works fine.

from google-authenticator.

Comment #8 originally posted by paul.devrieze on 2011-02-28T16:34:15.000Z:

As an alternative, I've created a patch # 32 that lets the module return various codes to the pam stack. You can then handle those in whatever way desired (including forcing the user to create the token) by leveraging pam.

from google-authenticator.

Comment #9 originally posted by [email protected] on 2011-03-09T20:26:23.000Z:

<empty>

from google-authenticator.

Comment #10 originally posted by [email protected] on 2011-03-12T02:48:47.000Z:

See issue # 24 for dealing with encrypted home directories.

from google-authenticator.

Comment #11 originally posted by fredemmott on 2011-08-20T09:00:28.000Z:

Here's a workaround:

1. Save the following as /usr/local/sbin/no-google-authenticator or similar:

#!/bin/sh
HOME=$(getent passwd "${PAM_USER}" | cut -f6 -d:)
/usr/bin/test ! -e "${HOME}/.google_authenticator"

1. Use the following in your PAM config:

auth [success=1 default=ignore] pam_exec.so quiet /usr/local/sbin/no-google-authenticator
auth required pam_google_authenticator.so

"[success=1 default=ignore]" means "on success, skip the next 1 auth provider (google), on failure, just pretend it didn't happen"

from google-authenticator.