Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 749156

Summary: sys-auth/google-authenticator-1.09 no longer works if included at the end of the sshd pam config
Product: Gentoo Linux Reporter: Adrian <adrian>
Component: Current packagesAssignee: tea <tea+gentoo>
Status: RESOLVED WORKSFORME    
Severity: normal CC: adrian, candrews, proxy-maint, sam, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Adrian 2020-10-14 22:37:42 UTC 
With the old default Gentoo PAM `auth` config (in `/etc/pam.d/system-auth`):

```
auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so
```

and this module being loaded at the end of `/etc/pam.d/sshd`:

```
auth       include      system-remote-login
...
auth       required     pam_google_authenticator.so ...
```

I am first asked for the password, and then for a TOTP.

However, recentl Gentoo updated `system-auth` to this:

```
auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so
auth            required        pam_faillock.so preauth
auth            sufficient      pam_unix.so nullok try_first_pass
auth            [default=die]   pam_faillock.so authfail
...
```

Now, unless I remove the last three lines (effectively disabling faillock, so not a great idea...), I am no longer asked for a TOTP at all, ie I can login with just the password.

A quick workaround for me was to move the `pam_google_authenticator` line for sshd to the beginning (which asks for a TOTP before asking for a password), but the fact that I had to do this at all was a nasty surprise as I would not expect an update to suddenly and silently remove the 2FA requirement from my system!

Reproducible: Always
Comment 1 Craig Andrews gentoo-dev 2020-10-15 13:22:10 UTC 
CC'ing the sys-auth/pambase maintainers (that package owns /etc/pam.d/system-auth)
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-10-15 13:37:56 UTC 
without proper failure logs it is nothing to say here, please provide the journalctl -f output (pr any other equiv information) of what happening, I can only guess, but I am not a forecast show host :)
Comment 3 Adrian 2020-10-15 13:39:50 UTC 
There are no useful logs (even with USE=debug for pam). However, we had an interesting discussion in #gentoo yesterday, and it looks like the "auth sufficient" line accepts the login so the "auth required pam_google_authenticator.so" line coming later is never considered.
Comment 4 Manuel Mommertz 2020-10-16 06:17:54 UTC 
(In reply to Adrian from comment #0)
> auth            sufficient      pam_unix.so nullok try_first_pass
> auth            [default=die]   pam_faillock.so authfail

Just replace by:
> auth            [default=ignore]   pam_faillock.so authfail

as Mikle suggested in bug 748405, comment 13.

Checking pam_unix at this place is not needed, as checking of credentials was already done in the (old) lines before. And with 'sufficient' it stops any further processing if pam_unix succeeds. If processing continues to the next line, [default=die] always stops processing and fails login (even if other pam-modules verified credentials before, like in the mentioned bug).

With [default=ignore] it keeps processing in any case. This will lead to faillock registering a failed login, even if it is successful. But this is fine, as on success it is cleared again some lines below:

> account         required        pam_faillock.so
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-01 13:54:13 UTC 
Yeah, pam_google_authenticator must go before pam_unix (sufficient).