PAM, RADIUS, Google Authenticator and Two Factor Auth

Question

I have setup FreeRADIUS, PAM and the Google Authtenicator. FreeRADIUS calls PAM, which in turn calls the Google pam_google_authenticator.so libary. That all works successfully.

However, that's not really 2 factor auth, as all one needs is the OTP from the Google App. To get two 2FA, I want to use the local Linux password. Since this is through RADIUS, I can't prompt for both passwords, and need to combine them in one. According the Google Auth README, and various blogs I found, I should do this in PAM:

   auth requisite pam_google_authenticator.so forward_pass
   auth required pam_unix.so use_first_pass

And then I can put the password and OTP at the same prompt, e.g. MyPass123456

But it never works. With debugging on, I can see that pam_unix.so checks and accepts the password from the user, but then fails anyway. If I remove that second line, or change 'auth' to 'account' (one suggestion I found), auth works, but the local password is simply ignored.

Am I missing something in my PAM config?

Good tutorial i have seen is from below link. https://www.cyberciti.biz/open-source/howto-protect-linux-ssh-login-with-google-authenticator/ However it is not mentioned required packages need to be installed before installing and configuring. However you may need to install following package. Compatible epel repository will help you to install the google-authenticator using tun install comand. yum install pam-devel — Sanjaya, May 26 '18 at 09:15

score 1 · Accepted Answer · answered Dec 30 '14 at 22:59

Lot's of Googling lead me to https://bugs.launchpad.net/percona-server/+bug/1274821 which describes a similar problem. As documented there, this worked:

 auth requisite pam_google_authenticator.so forward_pass
 auth required pam_unix.so use_first_pass  
 account required pam_unix.so audit
 account required pam_permit.so

Although why that works remains a mystery to me, as the MySQL issue is about using PAM as non-root, and I have FreeRADIUS setup to run as root.

score 0 · Answer 2 · answered Dec 30 '14 at 08:53

If you are changing "auth" to "account" then pam_unix is not used for authentication anymore.

What do you mean with

pam_unix.so checks and accepts the password from the user, but then fails anyway

How does your pam configuration for this service look like? As "required" means the stack is processed till the end, maybe it breaks after pam_unix.

You might also think about using another two factor auth backend, which handles these two factors by itself... https://www.howtoforge.com/two-factor-authentication-with-otp-using-privacyidea-and-freeradius-on-centos

score 0 · Answer 3 · answered Dec 30 '14 at 14:36

0

Try this configuration:

   auth requisite  pam_google_authenticator.so forward_pass
   auth sufficient pam_unix.so use_first_pass

It's really hard to tell, though, without seeing all auth entries in your pam config file.

answered Dec 30 '14 at 14:36

mricon

1,154
7
9

If it breaks after "auth pam_unix" then this would work out. The question is, why it would break there. – cornelinux Dec 30 '14 at 20:36

score 0 · Answer 4 · answered Mar 13 '15 at 10:33

Can you give your entire pam config file ? If you use pam_deny.so after pam_unix.so you have to change your config to:

auth [success=1 default=ignore]    pam_unix.so use_first_pass

It specify that the next line must be skipped if the module return success.

The entire config for auth:

auth requisite       pam_google_authenticator.so forward_pass
auth [success=1 default=ignore]    pam_unix.so use_first_pass
auth requisite           pam_deny.so
auth required            pam_permit.so

First, the pam_google_authenticator module extracts the TOTP and verify it.

Second, the pam_unix module verify the password and if it succeeded skip the third line.

PAM, RADIUS, Google Authenticator and Two Factor Auth

4 Answers4