Xrdp: google-authenticator two factor not working on xrdp login

Created on 20 Sep 2018  路  17Comments  路  Source: neutrinolabs/xrdp

google-authenticator two factor not working on xrdp login . Same google authenticator is working fine while I am trying to login using ssh .

For installing google-authenticator I am just following https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

step 1 , step 2 and step 3.

Is there any special configuration required for google-authenticator to made it working over xrdp session ?

Most helpful comment

I am able to use google-authenticator with xrdp with some changes. It is working fine for password+token(from mobile app ) on xrdp session. Only thing is missing two different screens for providing password and OTP. For command mode it always asking for password on one screen and then OTP on second screen but same is not working on xrdp login screen. On xrdp login screen user has to provide password and OTP together without any scape or extra character and login will work fine. If we can have two separate screen working with xrdp it will really work as 2FA .

Here is the issue and configuration for xrdp to work with google-authenticator : https://github.com/google/google-authenticator-libpam/issues/110

All 17 comments

We know that. That's why I do a survey #1047. See also #736.

I am able to use google-authenticator with xrdp with some changes. It is working fine for password+token(from mobile app ) on xrdp session. Only thing is missing two different screens for providing password and OTP. For command mode it always asking for password on one screen and then OTP on second screen but same is not working on xrdp login screen. On xrdp login screen user has to provide password and OTP together without any scape or extra character and login will work fine. If we can have two separate screen working with xrdp it will really work as 2FA .

Here is the issue and configuration for xrdp to work with google-authenticator : https://github.com/google/google-authenticator-libpam/issues/110

Good work!

Please provide me step by step configuration for XRDP with Google authenticator

@Sas002 could you create an MD with instruction on how to set this up end-to-end? That would be great to include in the readmes on xRDP github 馃憤. Else I might give this is a go when I have some spare to time.

Now I am working how to have HA for XRDP.

@Sas002 could you create an MD with instruction on how to set this up end-to-end? That would be great to include in the readmes on xRDP github 馃憤. Else I might give this is a go when I have some spare to time.

I will add it this week.

Please provide me step by step configuration for XRDP with Google authenticator

sorry for the delay. I will add the steps this week and update you.

@Sas002 Can you add the steps? I would really like to attempt this.

Please find the details

Please check :
https://github.com/google/google-authenticator-libpam/issues/44

Sending e-mail for google authenticator

https://github.com/google/google-authenticator-libpam/issues/110 : enable OTP for xrdp session

For both password and OTP on ssh as well xrdp

``

root@xrdp:/etc/pam.d# cat /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

# Set the loginuid process attribute.
session required pam_loginuid.so

# Create a new session keyring.
session optional pam_keyinit.so force revoke

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale

# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so

xrdp configuration:

root@xrdp:/etc/pam.d# cat xrdp-sesman
#%PAM-1.0
#@include common-auth
#@include common-account
#@include common-session
#@include common-password
#auth required pam_google_authenticator.so
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

restart sshd service or restart docker container and try to login ( I tried ubuntu on a docker container )

For login to xrdp : Please provide username and then on password box provide password+otp together. Password should be first then otp from gogole-authenticator app together without any space or extra character.

@Mdleal @willaaam : Please follow above steps and let me know if it is working for you. I have tried two options. One just username and OTP and above steps for username and password+otp

Apologies for the vastly late response - I was stuck in between flying and deadlines. I have some time in the coming week to give this a shot for our linux VMs

Can someone confirm this is working? I've made a few attempts but seem to be getting no-where with the steps provided. I am working on a Centos 8 VM. SSHD is setup just fine to work with the google authenticator, but XRDP is not accepting the password+authenticator code with the /etc/pam.d/xrdp-sesman config described by @Sas002

Hi @Bruuldor

I'll have a look at this for you - this could really do with getting on the Wiki I think. Gimme a while to get a CentOS 8 VM set up and I'll see what I can do.

Couple of questions for you:-

  • Are you using GNOME or another desktop?
  • What does your /etc/pam.d/xrdp-sesman look like?
  • Depending on the section which is uncommented in /etc/pam.d/xrdp-sesman, can you post either /etc/pam.d/password-auth or /etc/pam.d/gdm-password?

Thanks

Hi @matt335672

I've gotten it to work after messing around with the xrdp-sesman file and also some SELinux restrictions that didn't allow google authenticator to update the file in the home directory of the user. See my config below:

Desktop: GNOME
`

/etc/pam.d/xrdp-sesman

%PAM-1.0

Generic Fedora config

auth include password-auth

account include password-auth

password include password-auth

session include password-auth
auth required pam_google_authenticator.so secret=${HOME}/.ga/.google_authenticator forward_pass
auth required pam_unix.so use_first_pass

Gnome specific Fedora config

auth include gdm-password

account include gdm-password

password include gdm-password

session include gdm-password

/etc/pam.d/sshd

pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin

add to end

auth required pam_google_authenticator.so secret=${HOME}/.ga/.google_authenticator
`

The GA code needs to be appended to the end of the password but it works!
EDIT: some of the files didn't fully copy paste

Hi @Bruuldor

I've set the thing up just using a local user and I'm not seeing any problems with SELinux using the standard ~/.google-authenticator location for the file.

How did you install xrdp? Did you install it from EPEL, or from source? If you used EPEL, did you also install the xrdp-selinux RPM?

Thanks for any info.

I'm closing this issue now - I've added a Wiki page describing how to set this up with an example

Was this page helpful?
0 / 5 - 0 ratings

Related issues

MoonMoon1919 picture MoonMoon1919  路  5Comments

Rubarius picture Rubarius  路  5Comments

Jay991 picture Jay991  路  6Comments

sblack1969 picture sblack1969  路  7Comments

Zer0CoolX picture Zer0CoolX  路  3Comments