zuthan / google-authenticator-pam Goto Github PK
View Code? Open in Web Editor NEWUnix PAM for Google Authenticator
Unix PAM for Google Authenticator
It appears that the google-authenticator utility reports errors if it detects module-specific options in the config file.
aabdian@trusty:~$ cat /etc/google-authenticator.conf | egrep -v '^#|^$'
secret=/etc/google-authenticator/${USER}.secret
use_helper=/usr/sbin/gauth_chktoken
helper_owner=googleauth
time-based
disallow-reuse
label=trusty
qr-mode=ANSI
user=googleauth
aabdian@trusty:~$ google-authenticator
Unrecognized option "user=googleauth"
aabdian@trusty:~$
Getting this error when running google-authenticator utility as non-root user:
Failed to create "/etc/google-authenticator/aabdian.secret" (Permission denied)
Filesystem permissions & other settings are as follows:
root@trusty:~# ls -las /etc/google-authenticator
total 16
4 drwxr-x--- 2 googleauth googleauth 4096 Apr 23 14:26 .
12 drwxr-xr-x 135 root root 12288 Apr 23 14:35 ..
root@trusty:~# ls -las /usr/sbin/gauth_chktoken /usr/local/bin/google-authenticator
60 -rwxr-xr-x 1 root root 60423 Apr 23 13:10 /usr/local/bin/google-authenticator
52 -rwsr-sr-x 1 googleauth googleauth 50192 Apr 23 14:17 /usr/sbin/gauth_chktoken
root@trusty:~# egrep -v '^$|^#' /etc/google-authenticator.conf
secret=/etc/google-authenticator/${USER}.secret
use_helper=/usr/sbin/gauth_chktoken
helper_owner=googleauth
time-based
disallow-reuse
label=trusty
qr-mode=ANSI
root@trusty:~#
It makes sense that the user should get a permission denied error, because the use case here is that users cannot be trusted to maintain their own secret file. But to allow the user to run the utility and get right to the end isn't desirable either. I can see two options:
Option 1. If utility cannot write to the correct location, prompt the user with something along the lines of:
Failed to create "Failed to create "/etc/google-authenticator/aabdian.secret" (Permission denied)
You can save this file to your home directory instead. Note: Even if you say yes here, you still may need to ask your system administrator to copy this file to "/etc/google-authenticator/aabdian.secret" before your token becomes active.
Would you like this file to be written to "~/.google_authenticator" instead? (y/n)
Option 2. Abort straight away if the utility cannot write to the secret file (ie, dont wait until the end).
When using the google authenticator PAM module for sudo, I get the following error:
aabdian@trusty:~$ sudo su -
[sudo] password for aabdian:
Verification code:
stdin: is not a tty
aabdian@trusty:~$
I can see that I have authenticated successfully because when I re-run the command it works without prompting me to authenticate:
aabdian@trusty:~$ sudo su -
root@trusty:~#
Here is a copy of my pam config file for sudo:
root@trusty:/etc/pam.d# cat /etc/pam.d/sudo
#%PAM-1.0
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth [success=ok default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_google_authenticator.so
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
@include common-account
@include common-session-noninteractive
root@trusty:/etc/pam.d#
The Makefile installs pam_google_authenticator.so with 755 permissions, even though the rest of the PAM modules on the system are installed with 644.
Tested on Ubuntu Trusty (14.04)
When running the utility (as a non-root user) with the -s option and helper_owner is defined in /etc/google-authenticator.conf, I get the following error:
aabdian@trusty:~$ google-authenticator -s ~/.google_authenticator -l aabdian@trusty
<truncated>
Do you want me to update your "/home/aabdian/.google_authenticator" file (y/n) y
<truncated>
Failed to chown /home/aabdian/.google_authenticator as googleauth: Operation not permitted
Settings in /etc/google-authenticator.conf are:
aabdian@trusty:~$ egrep -v '^$|^#' /etc/google-authenticator.conf
secret=/etc/google-authenticator/${USER}.secret
use_helper=/usr/sbin/gauth_chktoken
helper_owner=googleauth
time-based
disallow-reuse
label=trusty
qr-mode=ANSI
aabdian@trusty:~$
I think the solution here is to simply not attempt to change the ownership of the secret file if the utility is being run as a non-root user.
Compiled on Ubuntu Trusty (14.04)
aabdian@trusty:~/src/google-authenticator-PAM/libpam$ uname -a
Linux trusty 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
aabdian@trusty:~/src/google-authenticator-PAM/libpam$ make
# cc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator.o pam_google_authenticator.c
cc --std=gnu99 -Wall -g -O0 -fno-inline -fPIC -c -fvisibility=hidden -o pam_google_authenticator.o pam_google_authenticator.c
pam_google_authenticator.c: In function ‘log_message’:
pam_google_authenticator.c:90:3: warning: format not a string literal and no format arguments [-Wformat-security]
syslog(priority, current_msg);
^
pam_google_authenticator.c: In function ‘auth_helper’:
pam_google_authenticator.c:720:22: warning: suggest parentheses around comparison in operand of ‘&’ [-Wparentheses]
for(int i = 0; i < 2 & !pw; i++){
^
# cc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o support.o support.c
cc --std=gnu99 -Wall -g -O0 -fno-inline -fPIC -c -fvisibility=hidden -o support.o support.c
cc -shared -g -o pam_google_authenticator.so pam_google_authenticator.o support.o base32.o hmac.o sha1.o -lpam
# cc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o demo.o demo.c
cc --std=gnu99 -Wall -g -O0 -fno-inline -fPIC -c -fvisibility=hidden -o demo.o demo.c
demo.c: In function ‘pam_get_item’:
demo.c:88:36: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
memcpy(item, &service, sizeof(&service));
^
demo.c:93:33: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
memcpy(item, &user, sizeof(&user));
^
# cc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator_demo.o pam_google_authenticator.c
cc -DDEMO --std=gnu99 -Wall -O0 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator_demo.o pam_google_authenticator.c
pam_google_authenticator.c: In function ‘log_message’:
pam_google_authenticator.c:90:3: warning: format not a string literal and no format arguments [-Wformat-security]
syslog(priority, current_msg);
^
pam_google_authenticator.c: In function ‘auth_helper’:
pam_google_authenticator.c:720:22: warning: suggest parentheses around comparison in operand of ‘&’ [-Wparentheses]
for(int i = 0; i < 2 & !pw; i++){
^
cc -g -rdynamic -o demo demo.o pam_google_authenticator_demo.o support.o base32.o hmac.o sha1.o -ldl
# cc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o gauth_chktoken.o gauth_chktoken.c
cc --std=gnu99 -Wall -g -O0 -fno-inline -fPIC -c -fvisibility=hidden -o gauth_chktoken.o gauth_chktoken.c
cc -g -o gauth_chktoken gauth_chktoken.o support.o base32.o hmac.o sha1.o -ldl
cc -DTESTING --std=gnu99 -Wall -O0 -g -fPIC -c -fvisibility=hidden -o gauth_chktoken_testing.o gauth_chktoken.c
cc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o support_testing.o support.c
cc -g -o gauth_chktoken_testing gauth_chktoken_testing.o support_testing.o base32.o hmac.o sha1.o -ldl
cc -DTESTING --std=gnu99 -Wall -O0 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator_testing.o pam_google_authenticator.c
pam_google_authenticator.c: In function ‘log_message’:
pam_google_authenticator.c:90:3: warning: format not a string literal and no format arguments [-Wformat-security]
syslog(priority, current_msg);
^
pam_google_authenticator.c: In function ‘auth_helper’:
pam_google_authenticator.c:720:22: warning: suggest parentheses around comparison in operand of ‘&’ [-Wparentheses]
for(int i = 0; i < 2 & !pw; i++){
^
pam_google_authenticator.c: At top level:
pam_google_authenticator.c:522:12: warning: ‘parse_config_file’ defined but not used [-Wunused-function]
static int parse_config_file(pam_handle_t *pamh, Params *params) {
^
cc -shared -g -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o support_testing.o base32.o hmac.o sha1.o -lpam
# cc --std=gnu99 -Wall -O2 -g -fPIC -c -fvisibility=hidden -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
cc --std=gnu99 -Wall -g -O0 -fno-inline -fPIC -c -fvisibility=hidden -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
pam_google_authenticator_unittest.c: In function ‘pam_get_item’:
pam_google_authenticator_unittest.c:84:36: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
memcpy(item, &service, sizeof(&service));
^
pam_google_authenticator_unittest.c:89:33: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
memcpy(item, &user, sizeof(&user));
^
In file included from pam_google_authenticator_unittest.c:19:0:
pam_google_authenticator_unittest.c: In function ‘main’:
pam_google_authenticator_unittest.c:498:63: warning: argument to ‘sizeof’ in ‘memcmp’ call is the same expression as the second source; did you mean to provide an explicit length? [-Wsizeof-pointer-memaccess]
assert(!memcmp(rate_limit + 13, rate_limit_exp, sizeof(rate_limit_exp)));
^
cc -g -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc -ldl
aabdian@trusty:~/src/google-authenticator-PAM/libpam$
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.