-1

I have a requirement to use a TOTP-based authentication on some RedHat 8.7 servers running vsFTPd. I've managed to get TOTP working with vsFTPd on Debian / Ubuntu, but haven't had any luck so far on RedHat. I have been able to get TOTP working on SSH logins, and that is rather well documented online. I've even managed to get it working with SELinux enabled :) But I've had zero luck in configuring vsFTPd's PAM on RedHat systems even with SELinux disabled.

The default /etc/pam.d/vsftpd file on RedHat looks like this:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      password-auth
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth

I've tried adding auth required pam_google_authenticator.so secret=/home/${USER}/.google_authenticator nullok.

If at the beginning of the PAM file, I can no longer log in to FTP at all; it asks for a password, but neither the code nor the unix password work. If I put it at the end, it's not used and the normal unix password is enough.

My target configuration is to have it where should there be a secret .google_authenticator config file for the user logging in, then this is used instead of the unix password. If there is no config file, then the normal unix password is used. I think this is required as FTP doesn't normally allow for MFA so only a single entry for a password can work.

Any ideas on where to look?

tfboy
  • 1
  • 1

2 Answers2

0

After some trial and error, I have figured out that if I comment out auth include password-auth, then this allows the TOTP to work. However, if there is no TOTP set up for the user, then there is no password check at all - type in any password and it logs in, so this isn't the answer.

I guess I need an "either or" auth on password-auth and pam_google_authenticator.

tfboy
  • 1
  • 1
0

OK, I think I've found the solution. Using the sufficient flag with the GA module and having this just before the normal Unix password auth seems to work.

In this case, for accounts which have the TOTP set up, they can use either their TOTP or normal Unix password. For accounts that don't have TOTP, they just use their Unix password. Using the wrong password doesn't give a successful logon.

Here's what I've ended up with for now:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth
auth       sufficient   pam_google_authenticator.so secret=/home/${USER}/.google_authenticator
auth       include      password-auth
tfboy
  • 1
  • 1