|
NAMEpam_google_authenticator - PAM module for Google two-factor authenticationSYNOPSISpam_google_authenticator.so [secret=file] [authtok_prompt=prompt] [user=username] [no_strict_owner] [allowed_perm=0nnn] [debug] [try_first_pass|use_first_pass|forward_pass] [noskewadj] [no_increment_hotp] [nullok] [echo_verification_code]DESCRIPTIONThe pam_google_authenticator module is designed to protect user authentication with a second factor, either time-based (TOTP) or counter-based (HOTP). Prior logging in, the user will be asked for both its password and a one-time code. Such one-time codes can be generated with the Google Authenticator application, installed on the user's Android device. To respectively generate and verify those one-time codes, a secret key (randomly generated) must be shared between the device on which one-time codes are generated and the system on which this PAM module is enabled.Depending on its configuration (see options section), this module requires that a secret file is manually set up for each account on the system. This secret file holds the secret key and user-specific options (see google-authenticator(1)). Unless the nullok option is used, authentication tries will be rejected if such secret file doesn't exist. Alternatively, a system administrator may create those secret files on behalf of the users and then communicates to them the secret keys. OPTIONS
By default, the PAM module looks for the secret file in the .google_authenticator file within the home of the user logging in. This option overrides this location. The provided location may include the following short-hands:
Note that if spaces are present in the provided prompt, the whole argument must be wrapped in square brackets.
By default, the secret file must be owned by the user logging in. This option disables this check.
By default, the secret file must be readable only by its owner (ie. mode 0600). This option allows a different mode to be specified for this file.
Because some PAM clients cannot prompt the user for more than just the password, the following stacking options may be used:
By default, the PAM module makes an attempt to compensate for time skew between the server and the device on which one-time passcodes are generated. This option disable this behavior. Note that this option is only relevant for time-based (TOTP) mode.
In some circonstance, failed passwords still get an OTP prompt. This option disables counter incrementation is such situations. Note that this option is only relevant for counter-based (HOTP) mode.
During the initial roll-out process, all users may not have created a secret key yet. This option allows them to log in, even if the secret file doesn't exist.
MODULE TYPE PROVIDEDOnly the auth module type is provided.RETURN VALUES
EXAMPLESThe following lines may be used to enable this PAM module:
SECURITY NOTESFor highest security, make sure that both password and one-time code are being requested even if password and/or one-time code are incorrect. This means that at least the first of pam_unix.so (or whatever other module is used to verify passwords) and pam_google_authenticator.so should be set as required, not requisite.SEE ALSOgoogle-authenticator(1).The Google Authenticator source code and all documentation may be downloaded from <https://github.com/google/google-authenticator-libpam>.
Visit the GSP FreeBSD Man Page Interface. |