Comments (13)
Comment #1 originally posted by [email protected] on 2011-03-11T21:43:56.000Z:
I don't even think that FreeBSD has support for filesystem user ids. So, we'd probably have to change the effective user id instead. This isn't great, but probably the best we can do.
But we also need a way to detect that this problem exists. I am not sure I really want to go all the way and switch to "autoconf", if I can avoid this extra complication.
Let me see what I can do.
from google-authenticator.
Comment #2 originally posted by [email protected] on 2011-03-11T22:56:05.000Z:
I removed the dependency on setfsuid(). Let me know, if you can now make more progress. I don't have a FreeBSD system to test with, and it is quite possible that there are other dependencies that don't exist on non-Linux systems.
from google-authenticator.
Comment #3 originally posted by denis.shaposhnikov on 2011-03-11T23:08:03.000Z:
Thank you!
Now I have another error:
cc --std=gnu99 -Wall -O2 -g -fPIC -c -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
pam_google_authenticator_unittest.c: In function 'pam_get_item':
pam_google_authenticator_unittest.c:65: error: 'PAM_BAD_ITEM' undeclared (first use in this function)
pam_google_authenticator_unittest.c:65: error: (Each undeclared identifier is reported only once
pam_google_authenticator_unittest.c:65: error: for each function it appears in.)
gmake: *** [pam_google_authenticator_unittest.o] Error 1
from google-authenticator.
Comment #4 originally posted by [email protected] on 2011-03-11T23:43:46.000Z:
What happens if you put the following bit of code somewhere before the line 33 (the one that defined "response"):
#if !defined(PAM_BAD_ITEM) && defined(PAM_SYMBOL_ERR)
// FreeBSD does not know about PAM_BAD_ITEM
#define PAM_BAD_ITEM PAM_SYMBOL_ERR
#endif
I can't promise we can get this code to work on FreeBSD at all, as I still don't know which features are different/missing on FreeBSD. But I can at least try to fix the obvious and easy issues, if you help me test them.
from google-authenticator.
Comment #5 originally posted by denis.shaposhnikov on 2011-03-12T00:02:01.000Z:
I did it, but no changes:
cc --std=gnu99 -Wall -O2 -g -fPIC -c -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
pam_google_authenticator_unittest.c: In function 'pam_get_item':
pam_google_authenticator_unittest.c:70: error: 'PAM_BAD_ITEM' undeclared (first use in this function)
pam_google_authenticator_unittest.c:70: error: (Each undeclared identifier is reported only once
pam_google_authenticator_unittest.c:70: error: for each function it appears in.)
gmake: *** [pam_google_authenticator_unittest.o] Error 1
--- pam_google_authenticator_unittest.c.orig 2011-03-11 15:51:05.000000000 -0800
+++ pam_google_authenticator_unittest.c 2011-03-11 15:51:31.000000000 -0800
@@ -30,6 +30,11 @@
#include "base32.h"
#include "hmac.h"
+#if !defined(PAM_BAD_ITEM) && defined(PAM_SYMBOL_ERR)
+// FreeBSD does not know about PAM_BAD_ITEM
+#define PAM_BAD_ITEM PAM_SYMBOL_ERR
+#endif
+
static char *response = "";
static int conversation(int num_msg, const struct pam_message **msg,
from google-authenticator.
Comment #6 originally posted by [email protected] on 2011-03-12T01:14:20.000Z:
Thank you for helping with this bug. I just checked in a version that should address all the issues that you reported. Please let me know, if there are remaining problems.
from google-authenticator.
Comment #7 originally posted by denis.shaposhnikov on 2011-03-14T18:19:51.000Z:
I've tested the pam module and found it doesn't work. I see next in the log:
sshd(pam_google_authenticator)[61935]: Failed to change user id to "user"
sshd[61935]: in _openpam_check_error_code(): pam_sm_authenticate(): unexpected return value 19
from google-authenticator.
Comment #8 originally posted by [email protected] on 2011-03-14T18:32:12.000Z:
When you write "user", do you mean it literally says "user". Or is this just a placeholder for the actually user name?
In any case, can you please also test with some other PAM enabled applications (e.g. "su"). "sshd" is a particularly tricky test case as it's PAM implementation is difficult to configure. So, we want to make sure you don't run into problems with a misconfigured "sshd" and misdiagnose it as a bug in the Google authenticator.
Once we know the authenticator works fine, we can then try to figure out why "sshd" doesn't work.
If "su" also fails, try to collect as much debug information as possible. Running in inside of "strace" (or the FreeBSD equivalent) would be helpful. You probably have to be "root" to do so.
from google-authenticator.
Comment #9 originally posted by denis.shaposhnikov on 2011-03-14T22:45:35.000Z:
I've configured the module for "login" and tried
sudo ktrace login test_user
In the dump I see lots of info and I think most interesting is next:
96358 login CALL seteuid(0x3e9)
96358 login RET seteuid 0
96358 login CALL geteuid
96358 login RET geteuid 1001/0x3e9
96358 login CALL seteuid(0x3e9)
96358 login RET seteuid -1 errno 1 Operation not permitted
The UID of test_user is 1001.
from google-authenticator.
Comment #10 originally posted by [email protected] on 2011-03-14T22:57:28.000Z:
If you replace the user id management functions with the following code, does that improve things?
static int setuser(int uid) {
#ifdef HAS_SETFSUID
// The semantics for setfsuid() are a little unusual. On success, the
// previous user id is returned. On failure, the current user id is returned.
int old_uid = setfsuid(uid);
if (uid != setfsuid(uid)) {
setfsuid(old_uid);
return -1;
}
#else
int old_uid = geteuid();
if (old_uid != uid && seteuid(uid)) {
return -1;
}
#endif
return old_uid;
}
static int drop_privileges(pam_handle_t *pamh, const char *username, int uid) {
// Try to become the new user. This might be necessary for NFS mounted home
// directories.
int old_uid = setuser(uid);
if (old_uid < 0) {
log_message(LOG_ERR, pamh, "Failed to change user id to "%s"", username);
return -1;
}
return old_uid;
}
from google-authenticator.
Comment #11 originally posted by denis.shaposhnikov on 2011-03-14T23:16:55.000Z:
Now it's better. But I can't authenticate myself. It work if I'm trying to login with one-time code which google-authenticator generated and saved into ~/.google_authenticator, but for verification code it logs "Invalid verification code". May be I wrong configured "Google Authenticator" on my android phone? I've added account "test_user@hostname
" and I'm trying to use the code which I see on my android phone, but it doesn't work.
from google-authenticator.
Comment #12 originally posted by [email protected] on 2011-03-14T23:21:45.000Z:
The easiest way to configure the Android application correctly is by scanning the QR code that the "google-authenticator" library generates.
Also, it is crucial that both your computer and your Android have reasonably precise time. The vast majority of cases where I have seen users unable to log in were a result of them having mismatched clocks.
I keep thinking of a good way to output more useful diagnostics information whenever this happens.
from google-authenticator.
Comment #13 originally posted by denis.shaposhnikov on 2011-03-14T23:39:38.000Z:
You are right. I've synced time and now the pam module works excellent. Thank you!
from google-authenticator.
Related Issues (20)
- Does not comply with RFC 6238 HOT 2
- Entering a provided key: '8' or '9' characters are invalid HOT 3
- Crap HOT 1
- Consider IANA registration of URI Scheme for otpauth? HOT 3
- Recent Update broke usage in Vysor HOT 5
- Is there any way to use this without a mobile device? HOT 2
- I Need to set QR code by base64 HOT 1
- Grouping of entries HOT 1
- No Password APP protection on IOS? HOT 1
- When I download the repo, it gives several erro missing library HOT 1
- Different behaviour between iOS and Android when opening otpauth:// urlscheme HOT 1
- Cannot transfer account without a name to a new device
- iOS App Crashes Instantly on 14.2 HOT 7
- Invalid barcode during account transfer from android to iphone HOT 11
- Face ID HOT 3
- Colors on codes
- Is that possible to use google-authenticator as a digital signature HOT 1
- Cannot Intercept QR code after transfer!! HOT 1
- AUthenticator has stopped - error on startup HOT 1
- Invalid barcode on IOS iphone HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from google-authenticator.