I have a requirement to use a TOTP-based authentication on some RedHat 8.7 servers running vsFTPd. I've managed to get TOTP working with vsFTPd on Debian / Ubuntu, but haven't had any luck so far on RedHat. I have been able to get TOTP working on SSH logins, and that is rather well documented online, I've even managed to get it working with SELinux enabled But I've had zero luck in configuring vsFTPd's PAM on RedHat systems even with SELinux disabled. The default /etc/pam.d/vsftpd file on RedHat looks like this: Code: #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth I've tried adding Code: auth required pam_google_authenticator.so debug secret=/home/${USER}/.google_authenticator nullok If at the beginning of the PAM file, I can no longer log in to FTP at all; it asks for a password, but neither the code nor the unix password work. If I put it at the end, it's not used and the normal unix password is enough. My target configuration is to have it where should there be a secret .google_authenticator config file for the user logging in, then this is used instead of the unix password. If there is no config file, then the normal unix password is used. I think this is required as FTP doesn't normally allow for MFA so only a single entry for a password can work. Any ideas on where to look?
OK, I think I've found the solution. Using the sufficient flag with the GA module and having this just before the normal Unix password auth seems to work. In this case, for accounts which have the TOTP set up, they can use either their TOTP or normal Unix password. For accounts that don't have TOTP, they just use their Unix password. Using the wrong password doesn't give a successful logon. Here's what I've ended up with for now: Code: #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so account include password-auth session required pam_loginuid.so session include password-auth auth sufficient pam_google_authenticator.so secret=/home/${USER}/.google_authenticator auth include password-auth
