How PAM determines system password and 2FA OTP2019 Community Moderator ElectionWhat does “Cannot make/remove an entry for the specified session” mean?ACL for a binddn user for PAM?Unable to login with password as well as otp in pam moduleUsing pam_listfile.so with radius authenticationCalling a password checking command from PHP using exec() - how to escape user input?389 ldap client authentication issue [CENTOS 7]Disable password complexity check (PAM)PAM: Authentication failure, with valid passwordUbuntu 16 Sudo SU Incorrect Password AttemptsAbout PAM authentication using sssd
Calculating the number of days between 2 dates in Excel
How do ultrasonic sensors differentiate between transmitted and received signals?
What is the opposite of 'gravitas'?
Pronouncing Homer as in modern Greek
Is there a problem with hiding "forgot password" until it's needed?
Meta programming: Declare a new struct on the fly
Is exact Kanji stroke length important?
Are taller landing gear bad for aircraft, particulary large airliners?
Can somebody explain Brexit in a few child-proof sentences?
Is it okay / does it make sense for another player to join a running game of Munchkin?
In Star Trek IV, why did the Bounty go back to a time when whales were already rare?
What does the "3am" section means in manpages?
Is there enough fresh water in the world to eradicate the drinking water crisis?
Is there a good way to store credentials outside of a password manager?
Why isn't KTEX's runway designation 10/28 instead of 9/27?
How to check participants in at events?
Greatest common substring
Reply ‘no position’ while the job posting is still there (‘HiWi’ position in Germany)
Blender - show edges angles “direction”
What is the term when two people sing in harmony, but they aren't singing the same notes?
How do I repair my stair bannister?
Is infinity mathematically observable?
Is the next prime number always the next number divisible by the current prime number, except for any numbers previously divisible by primes?
The most efficient algorithm to find all possible integer pairs which sum to a given integer
How PAM determines system password and 2FA OTP
2019 Community Moderator ElectionWhat does “Cannot make/remove an entry for the specified session” mean?ACL for a binddn user for PAM?Unable to login with password as well as otp in pam moduleUsing pam_listfile.so with radius authenticationCalling a password checking command from PHP using exec() - how to escape user input?389 ldap client authentication issue [CENTOS 7]Disable password complexity check (PAM)PAM: Authentication failure, with valid passwordUbuntu 16 Sudo SU Incorrect Password AttemptsAbout PAM authentication using sssd
I configured freeradius+google auth otp
Below are content of /etc/pam.d/radiusd
auth requisite pam_google_authenticator.so
forward_pass auth required pam_unix.so use_first_pass
I was wondering how pam differentiates systempassword and otp code "s3cretpAss77123456" and use to authenticate against correct password combination since there are not delimiters in between those two passwords.
linux pam google
asked Mar 22 at 17:05
satch_boogiesatch_boogie
165213
add a comment |
I configured freeradius+google auth otp
Below are content of /etc/pam.d/radiusd
auth requisite pam_google_authenticator.so
forward_pass auth required pam_unix.so use_first_pass
I was wondering how pam differentiates systempassword and otp code "s3cretpAss77123456" and use to authenticate against correct password combination since there are not delimiters in between those two passwords.
linux pam google
asked Mar 22 at 17:05
satch_boogiesatch_boogie
165213
add a comment |
I configured freeradius+google auth otp
Below are content of /etc/pam.d/radiusd
auth requisite pam_google_authenticator.so
forward_pass auth required pam_unix.so use_first_pass
I was wondering how pam differentiates systempassword and otp code "s3cretpAss77123456" and use to authenticate against correct password combination since there are not delimiters in between those two passwords.
linux pam google
asked Mar 22 at 17:05
satch_boogiesatch_boogie
165213
I configured freeradius+google auth otp
Below are content of /etc/pam.d/radiusd
auth requisite pam_google_authenticator.so
forward_pass auth required pam_unix.so use_first_pass
I was wondering how pam differentiates systempassword and otp code "s3cretpAss77123456" and use to authenticate against correct password combination since there are not delimiters in between those two passwords.
linux pam google
linux pam google
asked Mar 22 at 17:05
satch_boogiesatch_boogie
165213
asked Mar 22 at 17:05
satch_boogiesatch_boogie
165213
edited 2 days ago
satch_boogie
asked Mar 22 at 17:05
satch_boogiesatch_boogie
165213
asked Mar 22 at 17:05
satch_boogiesatch_boogie
165213
asked Mar 22 at 17:05
satch_boogiesatch_boogie
165213
165213
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The Google authentication modifies the password. The codes are a fixed length so it can strip the correct number of characters from the password when it authenticates the code. This way other modules are never confused by seeing the extra characters.
The password is then passed to other modules without the code appended.
PAM itself has no idea that there are two passwords in the same string.
answered Mar 22 at 17:21
Philip CoulingPhilip Couling
2,2821022
am i correct if i understand like this - ' the google pam module strips the last 6 chars from password+otp combination ...and rest of things in authentication continue'
– satch_boogie
Mar 22 at 17:56
Almost right. It does some verification agains 8 digit by trying both. Take a look at github.com/google/google-authenticator-libpam/blob/master/src/…
– nwildner
Mar 22 at 18:02
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f508033%2fhow-pam-determines-system-password-and-2fa-otp%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The Google authentication modifies the password. The codes are a fixed length so it can strip the correct number of characters from the password when it authenticates the code. This way other modules are never confused by seeing the extra characters.
The password is then passed to other modules without the code appended.
PAM itself has no idea that there are two passwords in the same string.
answered Mar 22 at 17:21
Philip CoulingPhilip Couling
2,2821022
am i correct if i understand like this - ' the google pam module strips the last 6 chars from password+otp combination ...and rest of things in authentication continue'
– satch_boogie
Mar 22 at 17:56
Almost right. It does some verification agains 8 digit by trying both. Take a look at github.com/google/google-authenticator-libpam/blob/master/src/…
– nwildner
Mar 22 at 18:02
add a comment |
The Google authentication modifies the password. The codes are a fixed length so it can strip the correct number of characters from the password when it authenticates the code. This way other modules are never confused by seeing the extra characters.
The password is then passed to other modules without the code appended.
PAM itself has no idea that there are two passwords in the same string.
answered Mar 22 at 17:21
Philip CoulingPhilip Couling
2,2821022
am i correct if i understand like this - ' the google pam module strips the last 6 chars from password+otp combination ...and rest of things in authentication continue'
– satch_boogie
Mar 22 at 17:56
Almost right. It does some verification agains 8 digit by trying both. Take a look at github.com/google/google-authenticator-libpam/blob/master/src/…
– nwildner
Mar 22 at 18:02
add a comment |
The Google authentication modifies the password. The codes are a fixed length so it can strip the correct number of characters from the password when it authenticates the code. This way other modules are never confused by seeing the extra characters.
The password is then passed to other modules without the code appended.
PAM itself has no idea that there are two passwords in the same string.
answered Mar 22 at 17:21
Philip CoulingPhilip Couling
2,2821022
The Google authentication modifies the password. The codes are a fixed length so it can strip the correct number of characters from the password when it authenticates the code. This way other modules are never confused by seeing the extra characters.
The password is then passed to other modules without the code appended.
PAM itself has no idea that there are two passwords in the same string.
answered Mar 22 at 17:21
Philip CoulingPhilip Couling
2,2821022
answered Mar 22 at 17:21
Philip CoulingPhilip Couling
2,2821022
answered Mar 22 at 17:21
Philip CoulingPhilip Couling
2,2821022
answered Mar 22 at 17:21
Philip CoulingPhilip Couling
2,2821022
2,2821022
am i correct if i understand like this - ' the google pam module strips the last 6 chars from password+otp combination ...and rest of things in authentication continue'
– satch_boogie
Mar 22 at 17:56
Almost right. It does some verification agains 8 digit by trying both. Take a look at github.com/google/google-authenticator-libpam/blob/master/src/…
– nwildner
Mar 22 at 18:02
add a comment |
am i correct if i understand like this - ' the google pam module strips the last 6 chars from password+otp combination ...and rest of things in authentication continue'
– satch_boogie
Mar 22 at 17:56
Almost right. It does some verification agains 8 digit by trying both. Take a look at github.com/google/google-authenticator-libpam/blob/master/src/…
– nwildner
Mar 22 at 18:02
am i correct if i understand like this - ' the google pam module strips the last 6 chars from password+otp combination ...and rest of things in authentication continue'
– satch_boogie
Mar 22 at 17:56
am i correct if i understand like this - ' the google pam module strips the last 6 chars from password+otp combination ...and rest of things in authentication continue'
– satch_boogie
Mar 22 at 17:56
Almost right. It does some verification agains 8 digit by trying both. Take a look at github.com/google/google-authenticator-libpam/blob/master/src/…
– nwildner
Mar 22 at 18:02
Almost right. It does some verification agains 8 digit by trying both. Take a look at github.com/google/google-authenticator-libpam/blob/master/src/…
– nwildner
Mar 22 at 18:02
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f508033%2fhow-pam-determines-system-password-and-2fa-otp%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-google, linux, pam
