chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/

Dmt Ops opsdmt at gmail.com
Wed Dec 24 08:51:17 EST 2014


> I've used google authenticator via PAM before


Digging further, doing a clean install of GA-libpam, even though the `make`
shows no errors, and the "./demo" app appears to work without error too,
running `make test` returns an Error,

    cd google-authenticator/libpam
    make test
        ./pam_google_authenticator_unittest
        Testing base32 encoding
        Testing base32 decoding
        Testing HMAC_SHA1
        Loading PAM module

        Running tests, querying for verification code
        Testing failed login attempt
        Testing required number of digits
        Testing a blank response
        Test handling of missing state files
        Testing successful login
        Testing WINDOW_SIZE option
        Testing DISALLOW_REUSE option
        Testing RATE_LIMIT option
        Testing TIME_SKEW
        pam_google_authenticator_unittest:
pam_google_authenticator_unittest.c:137: verify_prompts_shown: Assertion
`num_prompts_shown == expected_prompts_shown' failed.
>>>        Invalid verification code
        Makefile:36: recipe for target 'test' failed
        make: *** [test] Error 1

with the same "Invalid verification code" seen in the SSHD logs.

I tracked that message down to one prior post, as yet unanswered,
unfortunately.

    [CentOS] CentOS 5.9 and google-authenticator
    http://lists.centos.org/pipermail/centos/2013-June/135586.html

In that post it suggests that the FAIL is OS-dependent, or at least
os-VERSION-dependent.

Question -- on the system that you have GA-pam+sshd working on, are you
able to get at the GA-libpam source to run the `make test` and see if your
test passes?


More information about the openssh-unix-dev mailing list