With the old default Gentoo PAM `auth` config (in `/etc/pam.d/system-auth`): ``` auth required pam_env.so auth required pam_unix.so try_first_pass likeauth nullok auth optional pam_permit.so ``` and this module being loaded at the end of `/etc/pam.d/sshd`: ``` auth include system-remote-login ... auth required pam_google_authenticator.so ... ``` I am first asked for the password, and then for a TOTP. However, recentl Gentoo updated `system-auth` to this: ``` auth required pam_env.so auth required pam_unix.so try_first_pass likeauth nullok auth optional pam_permit.so auth required pam_faillock.so preauth auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail ... ``` Now, unless I remove the last three lines (effectively disabling faillock, so not a great idea...), I am no longer asked for a TOTP at all, ie I can login with just the password. A quick workaround for me was to move the `pam_google_authenticator` line for sshd to the beginning (which asks for a TOTP before asking for a password), but the fact that I had to do this at all was a nasty surprise as I would not expect an update to suddenly and silently remove the 2FA requirement from my system! Reproducible: Always
CC'ing the sys-auth/pambase maintainers (that package owns /etc/pam.d/system-auth)
without proper failure logs it is nothing to say here, please provide the journalctl -f output (pr any other equiv information) of what happening, I can only guess, but I am not a forecast show host :)
There are no useful logs (even with USE=debug for pam). However, we had an interesting discussion in #gentoo yesterday, and it looks like the "auth sufficient" line accepts the login so the "auth required pam_google_authenticator.so" line coming later is never considered.
(In reply to Adrian from comment #0) > auth sufficient pam_unix.so nullok try_first_pass > auth [default=die] pam_faillock.so authfail Just replace by: > auth [default=ignore] pam_faillock.so authfail as Mikle suggested in bug 748405, comment 13. Checking pam_unix at this place is not needed, as checking of credentials was already done in the (old) lines before. And with 'sufficient' it stops any further processing if pam_unix succeeds. If processing continues to the next line, [default=die] always stops processing and fails login (even if other pam-modules verified credentials before, like in the mentioned bug). With [default=ignore] it keeps processing in any case. This will lead to faillock registering a failed login, even if it is successful. But this is fine, as on success it is cleared again some lines below: > account required pam_faillock.so
Yeah, pam_google_authenticator must go before pam_unix (sufficient).
