Fedora Linux 38 (Workstation). I’m trying set up 2fa with google-authenticator for user login. I’ve tried the gdm-password and Login files but all I can get it to do is ask for a verification code, but the code won’t work. Adding it for SSH works fine so I dont know what are files or what lines i need to change in order for login to work. Any tips/advice would be greatly appreciated.
I’ve only used it for SSH myself. But I wonder if the problem could be selinux related?
I remember noticing a special selinux rule for google authenticator.
$ grep google-authenticator /etc/selinux/targeted/contexts/files/file_contexts
/var/lib/google-authenticator(/.*)? system_u:object_r:var_auth_t:s0
Maybe try adding a line like the following in your PAM login service configuration?
auth requisite pam_google_authenticator.so secret=/var/lib/google-authenticator/${USER} echo_verification_code
You’ll need to make the directory first.
$ sudo mkdir /var/lib/google-authenticator
$ sudo chmod 1777 /var/lib/google-authenticator
Oh. And you’ll need to specify the location for the auth file by using google authenticator’s -s option.
For example:
$ google-authenticator -u -t -d -f -w 3 -e 0 -i "" -l "${USER}@$(hostname)" -Q utf8 -s "/var/lib/google-authenticator/${USER}"