Comment #1 originally posted by Abubakar.Masood on 2011-01-28T16:24:07.000Z:

I tried adding the code above in pam_google_authenticator.c. After adding, i made a new copy of google-authenticator for 1 user on ma computer, configured google-authenticator with ssh access. But it still looks like it does not allow me to access the not configured user through ssh. Anything I am missing?

Comment #2 originally posted by valient on 2011-01-29T21:55:27.000Z:

The code is contained in an #ifdef which is not enabled by default. You'll need to add "#define ALLOW_UNCONFIGURED_USERS" to the top of the file to make it work. Or else remove the #ifdef and #endif lines from the patch..

Comment #3 originally posted by jeremy.kitchen on 2011-02-16T20:50:58.000Z:

this patch is fine, but I think it should be a module parameter and not a compile time thing.

auth required pam_google_authenticator.so pass_if_unconfigured

something like that.

Comment #4 originally posted by brian@microcomaustralia.com.au on 2011-02-21T00:19:44.000Z:

Seems to be broken for su, on Debian Squeeze with Lenny kernel. According to strace (strace is setuid root so I can strace setuid root programs):

[...]
setfsuid32(0) = 0
setfsuid32(0) = 0
open("/root/.google_authenticator", O_RDONLY) = -1 ENOENT (No such file or directory)
[...]
access("/root/.google_authenticator", F_OK) = -1 EACCES (Permission denied)
[...]

Still trying to understand why access(...) returns EACCES instead of ENOENT. Maybe a kernel issue with my older kernel?

Everything works fine if /root/.google_authenticator exists.

Comment #5 originally posted by valient on 2011-02-24T00:41:28.000Z:

Attached is a patch that adds two arguments to the pam module:

1. "pass_unconfigured" : if this is specified, then the pam module will ignore users that do not have authenticator setup (it will return success).
2. "suffix=[xxx]" : for adding a suffix to the user's homedir path. There is a separate ticket open for this, but this is how I deal with encrypted home directories.

For example, if the following is specified in a pam config file:

auth required pam_google_authenticator.so pass_unconfigured suffix=.auth

then when a user "foo" attempts to gain access, the module will look for "/home/foo.auth/.google_authenticator", and will return success if that file does not exist.

This patch is a diff of the head against my branch, so it also contains a one-line bug fix for blocked code handling.

Comment #6 originally posted by brian@microcomaustralia.com.au on 2011-02-27T23:26:09.000Z:

At quick glance, I think the patch in comment # 5 will suffer from the same problem I have in comment # 4. I just reproduced this problem on an up-to-date Ubuntu system. Still investigating.

Comment #7 originally posted by Abubakar.Masood on 2011-02-28T15:07:19.000Z:

This problem can be solved by adding a CONFIG FILE (which could be user defined) and adding the code on the first post in an if statement which reads from the config file. I have added a config file with settings for allowing/not allowing unconfigured users and it works fine.

Comment #8 originally posted by paul.devrieze on 2011-02-28T16:34:15.000Z:

As an alternative, I've created a patch # 32 that lets the module return various codes to the pam stack. You can then handle those in whatever way desired (including forcing the user to create the token) by leveraging pam.

Comment #9 originally posted by markus@google.com on 2011-03-09T20:26:23.000Z:

<empty>

Comment #10 originally posted by markus@google.com on 2011-03-12T02:48:47.000Z:

See issue # 24 for dealing with encrypted home directories.

Comment #11 originally posted by fredemmott on 2011-08-20T09:00:28.000Z:

Here's a workaround:

1. Save the following as /usr/local/sbin/no-google-authenticator or similar:

#!/bin/sh
HOME=$(getent passwd "${PAM_USER}" | cut -f6 -d:)
/usr/bin/test ! -e "${HOME}/.google_authenticator"

1. Use the following in your PAM config:

auth [success=1 default=ignore] pam_exec.so quiet /usr/local/sbin/no-google-authenticator
auth required pam_google_authenticator.so

"[success=1 default=ignore]" means "on success, skip the next 1 auth provider (google), on failure, just pretend it didn't happen"