does google-authenticator-libpam provides method to verify TOTP to handle error scenarios

[raviteja-b]

I have configured google-authenticator-libpam pam module on system and it works.
to handle error or wrong secret key setup scenarios, we wanted to verify TOTP token during google authenticator secret key setup.

In our use-case, secret key displayed on WebGUI for users to setup TOTP authenticator app mobile device to generate TOTP, in any case if user missed configuring TOTP authenticator app on mobile then this use gets locked out. so we wanted make sure user has setup TOTP authenticator app on mobile and ask user to provide first TOTP generated as input to validate secret key setup.

does google-authenticator-libpam pam module provides any API like "check_timebased_code()" which can be consumed by applications(WebGUI) to validate OTP ??

[ThomasHabets]

You provision GA libpam secrets via a web gui?

No, aside from the API PAM uses, this code doesn't expose any API. Probably there are "pam test" projects somewhere that lets you execute the auth stack outside of the actual auth flow.

[raviteja-b]

You provision GA libpam secrets via a web gui?

No, aside from the API PAM uses, this code doesn't expose any API. Probably there are "pam test" projects somewhere that lets you execute the auth stack outside of the actual auth flow.

yeah, secret key generated for each user on system and display secret key & QR code on Web GUI for user to setup TOTP authenticator

[raviteja-b]

You provision GA libpam secrets via a web gui?
No, aside from the API PAM uses, this code doesn't expose any API. Probably there are "pam test" projects somewhere that lets you execute the auth stack outside of the actual auth flow.

yeah, generate secret for each user, display secret key and QR code on GUI page.

does google-authenticator pam module support an API which can support verify TOTP and return success or failure
similar to https://www.man7.org/linux/man-pages/man3/pam_authenticate.3.html

[ThomasHabets]

GA PAM module already exports the standard PAM module API. You should be able to use that, just like the login flow does.

[raviteja-b]

GA PAM module already exports the standard PAM module API. You should be able to use that, just like the login flow does.

yeah, standard PAM module API expects both password + TOTP again, that's reason i was looking for google-authenticator specific TOTP verify method.
can you please consider exposing any new API to verify TOTP, so that any app which use this library can consume this API

[ThomasHabets]

Not sure what you mean. GA PAM module doesn't check the regular password. It has no ability to. Why is it that you can't call pam_sm_authenticate? That way it'd work against replays, work with HOTP, and ensure that the secret file was written correctly.

[raviteja-b]

Not sure what you mean. GA PAM module doesn't check the regular password. It has no ability to. Why is it that you can't call pam_sm_authenticate? That way it'd work against replays, work with HOTP, and ensure that the secret file was written correctly.

User already logged in and have a web session on system by the time user configure google-authenticator and setup secret key. During user secret key setup, we wanted to verify TOTP token against secret key setup for the user, I am looking for a PAM method which can just take TOTP and secret key input and validate given TOTP.

During session creation, we call pam_sm_authenticate with totp and it works.
pam_sm_authenticate expects both password and TOTP token both to pass authentication.
if we need to call pam_sm_authenticate() method just to verify totp then user needs to enter password again from web GUI

[ThomasHabets]

pam_sm_authenticate expects both password and TOTP token both to pass authentication.

Only if you use the options try_first_pass / use_first_pass / forward_pass, right?

if we need to call pam_sm_authenticate() method just to verify totp then user needs to enter password again from web GUI

Why?

[raviteja-b]

pam_sm_authenticate expects both password and TOTP token both to pass authentication.

Only if you use the options try_first_pass / use_first_pass / forward_pass, right?

yes that's right

if we need to call pam_sm_authenticate() method just to verify totp then user needs to enter password again from web GUI

Why?

pam_sm_authenticate() generally expects password with TOTP appended, if any one of these two parameters are wrong then it returns error

[ThomasHabets]

So, don't use those parameters when you verify the OTP?

[raviteja-b]

So, don't use those parameters when you verify the OTP?

password usually is not stored unless user passed while login..
so don't want to use password parameter while verifying TOTP

[akerl]

@raviteja-b You're missing the point.

PAM is a pluggable system for composing authentication flows. Google-authenticator-libpam is a module for PAM that implements TOTP validation.

The flow you're describing, where a user logs in with a password and then TOTP, is how you have configured the auth flow for sshd or login or whatever specific thing you're having users do. But that's just one configuration, and it's a PAM system configuration.

You can do a couple different things:

1. Set up another PAM config that isn't sshd/login/etc, that uses TOTP but not password, and invoke that to validate TOTP
2. Just call the function from this module directly, the same way that the PAM system flow does. This module only validates TOTP, not passwords, so you could just do that part.
3. Write your own TOTP validation code. TOTP is a published standard, you can find or write a validator that takes a seed, a code, and the current timestamp. As @ThomasHabets as pointed out, if you wanted to be thorough, you'd need to somehow integrate that to make sure the validated code couldn't be replayed, which is something the module takes care of for you.

[raviteja-b]

@raviteja-b You're missing the point.

I understand your point, in our authentication flow also user passes both password and TOTP token while login, but before that during setup secret key we wanted to verify TOTP token to make sure user configured right secret key on their device..

PAM is a pluggable system for composing authentication flows. Google-authenticator-libpam is a module for PAM that implements TOTP validation.

The flow you're describing, where a user logs in with a password and then TOTP, is how you have configured the auth flow for sshd or login or whatever specific thing you're having users do. But that's just one configuration, and it's a PAM system configuration.

You can do a couple different things:

1. Set up another PAM config that isn't sshd/login/etc, that uses TOTP but not password, and invoke that to validate TOTP
2. Just call the function from this module directly, the same way that the PAM system flow does. This module only validates TOTP, not passwords, so you could just do that part.

which function you are referring here?
looks like we can't use any method from google-authenticator pam module directly.

3. Write your own TOTP validation code. TOTP is a published standard, you can find or write a validator that takes a seed, a code, and the current timestamp. As @ThomasHabets as pointed out, if you wanted to be thorough, you'd need to somehow integrate that to make sure the validated code couldn't be replayed, which is something the module takes care of for you.

[ThomasHabets]

I'm pretty sure calling pam_sm_authenticate() should work.