You are not logged in.
- Topics: Active | Unanswered
#1 2019-11-24 07:11:10
- hoWlExat
- Member
- Registered: 2019-11-15
- Posts: 35
[SOLVED] 2FA ssh w/Google Authenticator not generating correct codes
I'm following the Google Authenticator guide referenced from the ssh guide for hardening my ssh security.
I get to the point where I run the `google-authenticator` command in the terminal, which generates a QR code (if you want to scan it with your phone's 2FA app) and a key (if you want to enter it manually into your phone's 2FA app).
I've tried both scanning the QR code and manually entering the key into both Authy and Google Authenticator (2FA phone apps). Both methods in both apps end up with the same generated codes (to use to authenticate), as expected.
However, the codes don't authenticate when I type them into the next prompt from the `google-authenticator` command run in the computer terminal. It tells me what the correct code was, but it's not what was in my 2FA app.
My computer has its time set to UTC, and I am not currently in the UTC time zone. I wouldn't think this would have an effect, but it's all I can currently hypothesize.
Does anyone know why this is happening and/or how to fix it? Thank you! 
Last edited by hoWlExat (2019-11-24 23:48:45)
Offline
#2 2019-11-24 13:01:59
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 13,326
Re: [SOLVED] 2FA ssh w/Google Authenticator not generating correct codes
What is the output of timedatectl ?
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#3 2019-11-24 22:56:58
- hoWlExat
- Member
- Registered: 2019-11-15
- Posts: 35
Re: [SOLVED] 2FA ssh w/Google Authenticator not generating correct codes
$ timedatectl
Local time: Mon 2019-11-25 00:51:46 UTC
Universal time: Mon 2019-11-25 00:51:46 UTC
RTC time: Mon 2019-11-25 00:51:46
Time zone: UTC (UTC, +0000)
System clock synchronized: no
NTP service: inactive
RTC in local TZ: noLast edited by hoWlExat (2019-11-24 22:58:03)
Offline
#4 2019-11-24 23:12:08
- Slithery
- Administrator
- From: Norfolk, UK
- Registered: 2013-12-01
- Posts: 5,776
Offline
#5 2019-11-24 23:46:02
- hoWlExat
- Member
- Registered: 2019-11-15
- Posts: 35
Re: [SOLVED] 2FA ssh w/Google Authenticator not generating correct codes
Seeing the previous output of my `timedatectl` command, I looked into the NTP wiki page to configure and start the `ntpd.service`. After doing this, my `timedatectl` output still unexpectedly says the NTP service is inactive, etc.:
$ timedatectl
Local time: Sun 2019-11-24 23:39:08 UTC
Universal time: Sun 2019-11-24 23:39:08 UTC
RTC time: Mon 2019-11-25 01:39:49
Time zone: UTC (UTC, +0000)
System clock synchronized: no
NTP service: inactive
RTC in local TZ: no
$ systemctl status ntpd
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset>
Active: active (running) since Mon 2019-11-25 01:30:57 UTC; 1h 50min left
...However, `timedatectl` must be referencing some other NTP service, as my times appear to be synchronized. Running the `google-authenticator` command, scanning the QR code on my phone's 2FA app, and then verifying the generated code in the `google-authenticator` prompt, now works!
Thank you everyone! It was a time sync issue, after all.
Last edited by hoWlExat (2019-11-24 23:46:33)
Offline
#6 2019-11-25 15:17:36
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 13,326
Re: [SOLVED] 2FA ssh w/Google Authenticator not generating correct codes
NTP service: inactiveTimedatectl uses that field to show the status of the systemd-timesyncd service.
timedatectl also has commands to manage/query systemd-timesyncd .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline