Apache module generating the wrong TOTP codes

95 views

Skip to first unread message

Tony Arcieri

unread,

Jul 9, 2013, 3:58:17 PM7/9/13

to google-authentica...@googlegroups.com

Hi there,

I've been trying to get this module to work for awhile and I've been running into some problems.

I'm using Google Authenticator on iOS to generate the codes. I've verified it's generating the correct codes for a given secret key using the TOTP debugger here:

http://google-authenticator.googlecode.com/git/libpam/totp.html

^^^ matches the codes on my phone. I've also looked in my Apache logs and verified that the Time/Timestamp on the TOTP debugger page (which is running on the same computer I'm running Apache on) match the Now= and T= values in the Apache logs.

As far as I am able to ascertain, this isn't a clock skew issue. iOS and the JS debugger match, and the timestamps in the JS debugger match the ones Apache is using. iOS matches the JS debugger, but the iOS codes do not match up with the ones generated by the Apache module.

I have also triple checked the secret key matches up. It was directly copied and pasted from the secret key file that Apache is successfully finding into both the JS debugger and iOS. No hand entry was used. The original source of truth for the token is the file Apache is using.

I'm seeing messages like this in my logs:

[Tue Jul 09 12:39:16 2013] [error] [client ::1] **** PW AUTH at T=1373398756 user "joeblow"
[Tue Jul 09 12:39:16 2013] [error] [client ::1] Secret Key is "(null)" @ T=45779958
[Tue Jul 09 12:39:16 2013] [error] [client ::1] Checking codes @ T=45779958 "281296" vs. "389611"
[Tue Jul 09 12:39:16 2013] [error] [client ::1] Checking codes @ T=45779958 "973869" vs. "389611"
[Tue Jul 09 12:39:16 2013] [error] [client ::1] Checking codes @ T=45779958 "483281" vs. "389611"
[Tue Jul 09 12:39:16 2013] [error] [client ::1] Checking codes @ T=45779958 "481038" vs. "389611"
[Tue Jul 09 12:39:16 2013] [error] [client ::1] Checking codes @ T=45779958 "55357" vs. "389611"
[Tue Jul 09 12:39:16 2013] [error] [client ::1] Validating for "389611" Shared Key "(null)"
[Tue Jul 09 12:39:16 2013] [error] [client ::1] user joeblow: authentication failure for "/": Password Mismatch

Secret Key is "(null)" seemed a bit suspect at first, but I've double checked that it is successfully finding and reading the secret key.

I have tried both upper case and lower case Base32 in the password file. I have tried adding and removing trailing newlines. Nothing seems to work.

Any ideas? My Apache config is as follows:

AuthType Basic

AuthName "Google Authenticator"

AuthBasicProvider "google_authenticator"

Require valid-user

GoogleAuthUserPath /usr/local/etc/apache2/ga_auth

GoogleAuthCookieLife 3600

GoogleAuthEntryWindow 2

Reply all

Reply to author

Forward

0 new messages