Tuesday, January 22, 2013

Fedora 18 google 2 factor authentication problems.

If you have upgraded to fedora 18 and are having some trouble logging in with the open source google 2 factor PAM, and authenticator app, look to at your display managers login window and make sure that the time is set properly.

I recently upgraded from Fedora 17 to 18 and noticed that it set my workstation to network time by default. In fedora 18 the network card by default will not make a connection until the user logs in. (Assuming this is a measure to prevent hacking attempts/exploits.) So naturally the workstation was not on the same time as my phone, and thereby far surpassing the 1 minute and 30 second time sync differential (can go up to 4 minutes depending on how you setup you .google_authenticator conf file.)

So I appended the kernel arguments by, pressing 'e' on the current kernel of the grub screen to edit the arguments. I used '-a single' followed by pressing F10 to boot the machine into single user mode. I then removed the pam_google_authenticator.so line from the gdm-password file located in /etc/pam.d. This allowed be to login with just my user password. After successfully logging into the machine I turned off network time set my time zone to EST, and then re-entered pam_google_authenticator.so back into the gdm-password file. Logged out to test it, and then it started working fine.

There are ways of getting the machine to connect to the network before or during the display managers login window, but these are outside the scope of this article. Luckily if you log out and have an services running as a daemon, most specifically under root for good measure these services will continue to run. This article was intended for those using fedora as a desktop workstation rather than a server. There are also ways of stopping one from booting into single user mode from the grub, though booting this way usually requires physically access, if you don't have sensitive information on your workstation I would not recommend disabling single user arguments, just in case of scenarios like this.