Using google authenticator PAM with vsFTPd on RedHat

Discussion in 'Server Operation' started by tfboy, Mar 1, 2023.

  1. tfboy

    tfboy Member

    I have a requirement to use a TOTP-based authentication on some RedHat 8.7 servers running vsFTPd.
    I've managed to get TOTP working with vsFTPd on Debian / Ubuntu, but haven't had any luck so far on RedHat.
    I have been able to get TOTP working on SSH logins, and that is rather well documented online, I've even managed to get it working with SELinux enabled :) But I've had zero luck in configuring vsFTPd's PAM on RedHat systems even with SELinux disabled.
    The default /etc/pam.d/vsftpd file on RedHat looks like this:
    Code:
    #%PAM-1.0
    session    optional     pam_keyinit.so    force revoke
    auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
    auth       required     pam_shells.so
    auth       include      password-auth
    account    include      password-auth
    session    required     pam_loginuid.so
    session    include      password-auth
    
    I've tried adding
    Code:
    auth       required     pam_google_authenticator.so debug secret=/home/${USER}/.google_authenticator nullok
    If at the beginning of the PAM file, I can no longer log in to FTP at all; it asks for a password, but neither the code nor the unix password work. If I put it at the end, it's not used and the normal unix password is enough.

    My target configuration is to have it where should there be a secret .google_authenticator config file for the user logging in, then this is used instead of the unix password. If there is no config file, then the normal unix password is used. I think this is required as FTP doesn't normally allow for MFA so only a single entry for a password can work.

    Any ideas on where to look?
     
  2. tfboy

    tfboy Member

    OK, I think I've found the solution. Using the sufficient flag with the GA module and having this just before the normal Unix password auth seems to work.

    In this case, for accounts which have the TOTP set up, they can use either their TOTP or normal Unix password. For accounts that don't have TOTP, they just use their Unix password. Using the wrong password doesn't give a successful logon.

    Here's what I've ended up with for now:
    Code:
    #%PAM-1.0
    session    optional     pam_keyinit.so    force revoke
    auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
    auth       required     pam_shells.so
    account    include      password-auth
    session    required     pam_loginuid.so
    session    include      password-auth
    auth       sufficient   pam_google_authenticator.so secret=/home/${USER}/.google_authenticator
    auth       include      password-auth
     
    ahrasis likes this.

Share This Page