google-authenticator two factor not working on xrdp login . Same google authenticator is working fine while I am trying to login using ssh .
For installing google-authenticator I am just following https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04
step 1 , step 2 and step 3.
Is there any special configuration required for google-authenticator to made it working over xrdp session ?
We know that. That's why I do a survey #1047. See also #736.
I am able to use google-authenticator with xrdp with some changes. It is working fine for password+token(from mobile app ) on xrdp session. Only thing is missing two different screens for providing password and OTP. For command mode it always asking for password on one screen and then OTP on second screen but same is not working on xrdp login screen. On xrdp login screen user has to provide password and OTP together without any scape or extra character and login will work fine. If we can have two separate screen working with xrdp it will really work as 2FA .
Here is the issue and configuration for xrdp to work with google-authenticator : https://github.com/google/google-authenticator-libpam/issues/110
Good work!
Please provide me step by step configuration for XRDP with Google authenticator
@Sas002 could you create an MD with instruction on how to set this up end-to-end? That would be great to include in the readmes on xRDP github 馃憤. Else I might give this is a go when I have some spare to time.
Now I am working how to have HA for XRDP.
@Sas002 could you create an MD with instruction on how to set this up end-to-end? That would be great to include in the readmes on xRDP github 馃憤. Else I might give this is a go when I have some spare to time.
I will add it this week.
Please provide me step by step configuration for XRDP with Google authenticator
sorry for the delay. I will add the steps this week and update you.
@Sas002 Can you add the steps? I would really like to attempt this.
Please find the details
Please check :
https://github.com/google/google-authenticator-libpam/issues/44
Sending e-mail for google authenticator
https://github.com/google/google-authenticator-libpam/issues/110 : enable OTP for xrdp session
For both password and OTP on ssh as well xrdp
``
root@xrdp:/etc/pam.d# cat /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so
xrdp configuration:
root@xrdp:/etc/pam.d# cat xrdp-sesman
#%PAM-1.0
#@include common-auth
#@include common-account
#@include common-session
#@include common-password
#auth required pam_google_authenticator.so
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
restart sshd service or restart docker container and try to login ( I tried ubuntu on a docker container )
For login to xrdp : Please provide username and then on password box provide password+otp together. Password should be first then otp from gogole-authenticator app together without any space or extra character.
@Mdleal @willaaam : Please follow above steps and let me know if it is working for you. I have tried two options. One just username and OTP and above steps for username and password+otp
Apologies for the vastly late response - I was stuck in between flying and deadlines. I have some time in the coming week to give this a shot for our linux VMs
Can someone confirm this is working? I've made a few attempts but seem to be getting no-where with the steps provided. I am working on a Centos 8 VM. SSHD is setup just fine to work with the google authenticator, but XRDP is not accepting the password+authenticator code with the /etc/pam.d/xrdp-sesman config described by @Sas002
Hi @Bruuldor
I'll have a look at this for you - this could really do with getting on the Wiki I think. Gimme a while to get a CentOS 8 VM set up and I'll see what I can do.
Couple of questions for you:-
/etc/pam.d/xrdp-sesman look like?/etc/pam.d/xrdp-sesman, can you post either /etc/pam.d/password-auth or /etc/pam.d/gdm-password?Thanks
Hi @matt335672
I've gotten it to work after messing around with the xrdp-sesman file and also some SELinux restrictions that didn't allow google authenticator to update the file in the home directory of the user. See my config below:
Desktop: GNOME
`
account include password-auth
session include password-auth
auth required pam_google_authenticator.so secret=${HOME}/.ga/.google_authenticator forward_pass
auth required pam_unix.so use_first_pass
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
auth required pam_google_authenticator.so secret=${HOME}/.ga/.google_authenticator
`
The GA code needs to be appended to the end of the password but it works!
EDIT: some of the files didn't fully copy paste
Hi @Bruuldor
I've set the thing up just using a local user and I'm not seeing any problems with SELinux using the standard ~/.google-authenticator location for the file.
How did you install xrdp? Did you install it from EPEL, or from source? If you used EPEL, did you also install the xrdp-selinux RPM?
Thanks for any info.
I'm closing this issue now - I've added a Wiki page describing how to set this up with an example
Most helpful comment
I am able to use google-authenticator with xrdp with some changes. It is working fine for password+token(from mobile app ) on xrdp session. Only thing is missing two different screens for providing password and OTP. For command mode it always asking for password on one screen and then OTP on second screen but same is not working on xrdp login screen. On xrdp login screen user has to provide password and OTP together without any scape or extra character and login will work fine. If we can have two separate screen working with xrdp it will really work as 2FA .
Here is the issue and configuration for xrdp to work with google-authenticator : https://github.com/google/google-authenticator-libpam/issues/110