You are not logged in.

#1 2019-11-24 07:11:10

hoWlExat
Member
Registered: 2019-11-15
Posts: 35

[SOLVED] 2FA ssh w/Google Authenticator not generating correct codes

I'm following the Google Authenticator guide referenced from the ssh guide for hardening my ssh security.

I get to the point where I run the `google-authenticator` command in the terminal, which generates a QR code (if you want to scan it with your phone's 2FA app) and a key (if you want to enter it manually into your phone's 2FA app).

I've tried both scanning the QR code and manually entering the key into both Authy and Google Authenticator (2FA phone apps). Both methods in both apps end up with the same generated codes (to use to authenticate), as expected.

However, the codes don't authenticate when I type them into the next prompt from the `google-authenticator` command run in the computer terminal. It tells me what the correct code was, but it's not what was in my 2FA app.

My computer has its time set to UTC, and I am not currently in the UTC time zone. I wouldn't think this would have an effect, but it's all I can currently hypothesize.

Does anyone know why this is happening and/or how to fix it? Thank you! smile

Last edited by hoWlExat (2019-11-24 23:48:45)

Offline

#2 2019-11-24 13:01:59

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: [SOLVED] 2FA ssh w/Google Authenticator not generating correct codes

What is the output of timedatectl ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#3 2019-11-24 22:56:58

hoWlExat
Member
Registered: 2019-11-15
Posts: 35

Re: [SOLVED] 2FA ssh w/Google Authenticator not generating correct codes

$ timedatectl
               Local time: Mon 2019-11-25 00:51:46 UTC
           Universal time: Mon 2019-11-25 00:51:46 UTC
                 RTC time: Mon 2019-11-25 00:51:46
                Time zone: UTC (UTC, +0000)
System clock synchronized: no
              NTP service: inactive
          RTC in local TZ: no

Last edited by hoWlExat (2019-11-24 22:58:03)

Offline

#4 2019-11-24 23:12:08

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: [SOLVED] 2FA ssh w/Google Authenticator not generating correct codes

Your UTC is one hour fast, it's currently 23:12...


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#5 2019-11-24 23:46:02

hoWlExat
Member
Registered: 2019-11-15
Posts: 35

Re: [SOLVED] 2FA ssh w/Google Authenticator not generating correct codes

Seeing the previous output of my `timedatectl` command, I looked into the NTP wiki page to configure and start the `ntpd.service`. After doing this, my `timedatectl` output still unexpectedly says the NTP service is inactive, etc.:

$ timedatectl
               Local time: Sun 2019-11-24 23:39:08 UTC
           Universal time: Sun 2019-11-24 23:39:08 UTC
                 RTC time: Mon 2019-11-25 01:39:49
                Time zone: UTC (UTC, +0000)
System clock synchronized: no
              NTP service: inactive
          RTC in local TZ: no

$ systemctl status ntpd
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset>
   Active: active (running) since Mon 2019-11-25 01:30:57 UTC; 1h 50min left
   ...

However, `timedatectl` must be referencing some other NTP service, as my times appear to be synchronized. Running the `google-authenticator` command, scanning the QR code on my phone's 2FA app, and then verifying the generated code in the `google-authenticator` prompt, now works!

Thank you everyone! It was a time sync issue, after all.

Last edited by hoWlExat (2019-11-24 23:46:33)

Offline

#6 2019-11-25 15:17:36

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: [SOLVED] 2FA ssh w/Google Authenticator not generating correct codes

NTP service: inactive

Timedatectl uses that field to show the status of the systemd-timesyncd service.
timedatectl also has commands to manage/query systemd-timesyncd .


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

Board footer

Powered by FluxBB