.\" Automatically generated by Pandoc 1.16.0.2 .\" .TH "PAM_GOOGLE_AUTHENTICATOR" "8" "" "Google Authenticator PAM module manual" "" .hy .SH NAME .PP pam_google_authenticator \- PAM module for Google two\-factor authentication .SH SYNOPSIS .PP \f[B]pam_google_authenticator.so\f[] [secret=\f[I]file\f[]] [authtok_prompt=\f[I]prompt\f[]] [user=\f[I]username\f[]] [no_strict_owner] [allowed_perm=\f[I]0nnn\f[]] [debug] [try_first_pass|use_first_pass|forward_pass] [noskewadj] [no_increment_hotp] [nullok] [echo_verification_code] .SH DESCRIPTION .PP The \f[B]pam_google_authenticator\f[] module is designed to protect user authentication with a second factor, either time\-based (TOTP) or counter\-based (HOTP). Prior logging in, the user will be asked for both its password and a one\-time code. Such one\-time codes can be generated with the Google Authenticator application, installed on the user\[aq]s Android device. To respectively generate and verify those one\-time codes, a secret key (randomly generated) must be shared between the device on which one\-time codes are generated and the system on which this PAM module is enabled. .PP Depending on its configuration (see \f[I]options\f[] section), this module requires that a secret file is manually set up for each account on the system. This secret file holds the secret key and user\-specific options (see \f[B]google\-authenticator\f[](1)). Unless the \f[B]nullok\f[] option is used, authentication tries will be rejected if such secret file doesn\[aq]t exist. Alternatively, a system administrator may create those secret files on behalf of the users and then communicates to them the secret keys. .SH OPTIONS .TP .B secret=\f[I]file\f[] Specify a non\-standard file location for the secret file. .RS .PP By default, the PAM module looks for the secret file in the \f[C]\&.google_authenticator\f[] file within the home of the user logging in. This option overrides this location. .PP The provided location may include the following short\-hands: .IP \[bu] 2 \f[B]${USER}\f[] that will be interpreted as the username. .IP \[bu] 2 \f[B]${HOME}\f[] and \f[B]~\f[] that will be interpreted as the user\[aq]s home directory. .RE .TP .B authtok_prompt=\f[I]prompt\f[] Override default token prompt. .RS .PP Note that if spaces are present in the provided prompt, the whole argument must be wrapped in square brackets. .RE .TP .B user=\f[I]username\f[] Switch to a hard\-coded user prior to doing any file operation. .RS .RE .TP .B no_strict_owner Disable the check against the secret file\[aq]s owner. .RS .PP By default, the secret file must be owned by the user logging in. This option disables this check. .RE .TP .B allowed_perm=\f[I]0nnn\f[] Override checked permissions of the secret file. .RS .PP By default, the secret file must be readable only by its owner (ie. mode \f[I]0600\f[]). This option allows a different mode to be specified for this file. .RE .TP .B debug Enable more verbose log messages in syslog. .RS .RE .TP .B try_first_pass|use_first_pass|forward_pass Stacking options for this PAM module. .RS .PP Because some PAM clients cannot prompt the user for more than just the password, the following stacking options may be used: .IP \[bu] 2 \f[B]try_first_pass\f[]: before prompting the user for the one\-time code, this module first tries the previous stacked module\[aq]s password in case that satisfies this module as well. .IP \[bu] 2 \f[B]use_first_pass\f[]: force this module to use a previous stacked modules password. With this option, this module will never prompt the user for the one\-time code. Thus, if no valid one\-time code is available, the user will be denied access. .IP \[bu] 2 \f[B]forward_pass\f[]: query the user for both the system password and the verification code in a single prompt. The system password is then forwarded to the next PAM module, which will have to be configured with either the \f[B]use_first_pass\f[] option, or the \f[B]try_first_pass\f[] option. .RE .TP .B noskewadj Don\[aq]t adjust time skew automatically. .RS .PP By default, the PAM module makes an attempt to compensate for time skew between the server and the device on which one\-time passcodes are generated. This option disable this behavior. .PP Note that this option is only relevant for time\-based (TOTP) mode. .RE .TP .B no_increment_hotp Don\[aq]t increment the counter for failed attempts. .RS .PP In some circonstance, failed passwords still get an OTP prompt. This option disables counter incrementation is such situations. .PP Note that this option is only relevant for counter\-based (HOTP) mode. .RE .TP .B nullok Allow users to log in without OTP, if they haven\[aq]t set up OTP yet. .RS .PP During the initial roll\-out process, all users may not have created a secret key yet. This option allows them to log in, even if the secret file doesn\[aq]t exist. .RE .TP .B echo_verification_code Echo the verification code when it is entered by the user. .RS .RE .SH MODULE TYPE PROVIDED .PP Only the \f[B]auth\f[] module type is provided. .SH RETURN VALUES .TP .B PAM_SUCCESS Either the provided one\-time code is correct or is a valid emergency code. .RS .RE .TP .B PAM_IGNORE This module is ignored. .RS .RE .TP .B PAM_AUTH_ERR The provided one\-time code isn\[aq]t correct and isn\[aq]t a valid emergency code, or an error was encountered. .RS .RE .SH EXAMPLES .PP The following lines may be used to enable this PAM module: .IP \[bu] 2 \f[C]auth\ required\ pam_google_authenticator.so\ no_increment_hotp\f[] # Make sure the counter (for HOTP mode) isn\[aq]t incremented for failed attempts. .IP \[bu] 2 \f[C]auth\ required\ pam_google_authenticator.so\ nullok\f[] # Allow users to log in if their secret files don\[aq]t exist .IP \[bu] 2 \f[C]auth\ required\ pam_google_authenticator.so\ secret=/var/unencrypted\-home/${USER}/.google_authenticator\f[] # Store secret files in a specific location .IP \[bu] 2 \f[C]auth\ required\ pam_google_authenticator.so\ [authtok_prompt=Your\ secret\ token:\ ]\f[] # Use a specific prompt .IP \[bu] 2 \f[C]auth\ required\ pam_google_authenticator.so\ noskewadj\f[] # Don\[aq]t compensate time skew automatically .SH SECURITY NOTES .PP For highest security, make sure that both password and one\-time code are being requested even if password and/or one\-time code are incorrect. This means that \f[I]at least\f[] the first of \f[C]pam_unix.so\f[] (or whatever other module is used to verify passwords) and \f[C]pam_google_authenticator.so\f[] should be set as \f[B]required\f[], not \f[B]requisite\f[]. .SH SEE ALSO .PP \f[B]google\-authenticator\f[](1). .PP The Google Authenticator source code and all documentation may be downloaded from .