Hi everyone,
I am new to OpenSuse. I inherited an OpenSuse 12.3 server with OpenVPN and Google Authenticator PAM module installed. It seems that after a reboot (a power failure/reset), no user, including root, can login locally without google authenticator. I am told this was not the intended behavior and the previous admin fixed this manually by editing PAM config files and since he didn’t use “pam-config” the changes are overwritten after a reboot.
I have since cloned this VM and logged in using “init=/bin/bash” in GRUB command line and see the following in /var/log/messages:
hostname login(pam_google_authenticator)[1497]: Failed to read “/root/.google_authenticator”
hostname login[1396]: FAILED LOGIN SESSION FROM tty1 FOR root, Cannot make/remove an entry for the specified session
I was not very well informed on PAM so I read guides and man pages of PAM authentication, and from the little understanding I have, I looked for anything related to pam_google_authenticator.so mentioned anywhere in the common-* PAM files in /etc/pam.d i.e. common-auth, common-account, common-password and common-session as well as in login and sshd files and found no entry of it. so I am wondering why is it that google_authenticator is involved in logging in locally when it is not invoked in any of the the PAM config files? And how do I change this behavior? And would it be the best to just disable “pam-config” by unlinking common-* files and manually edit files so the changes remain next time this server reboots?
Ultimately, we’d like to be able to use google authenticator for OpenVPN clients/users only, and not for the users that try to login over SSH/console. How do we accomplish that?
Thank you for reading. I am hoping to fix this issue as well as learn something new in the process, so please consider this in your reply