Google 2-factor authentication not working for NoMachine

Forum / NoMachine for Linux / Google 2-factor authentication not working for NoMachine

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #15596
    Solidcore87
    Participant

    Any help would be much appreciated. I have been using NoMachine with google 2-factor authenticator for about a year to connect to my home Linux workstation. I recently upgraded my workstation from Debian 8 to 9, and a few weeks later I’m in able to connect with 2fa. I can enter my name and password, then prompted for my 2fa code, use my 6 digit code, and it tells me the code is wrong. I reinstalled both NoMachine and libpam-google-authenticator on my workstation, then reinstalled the Google 2fa app on my phone. Still not able to authenticate on multiple devices with 2fa. This is both local in the LOAN and over WAN via my ddns forward.

    Work so solid for a full year now will only work with a user name/password combo. No 2fa which was a big selling point for me to use this solution over WAN. But, I’m not sure if this is an issue with NoMachine or google-authenticator?

    I followed these instructions here to set it up and reinstall.

    https://www.nomachine.com/AR12L00828

    #15682
    Cato
    Participant

    Hello Solidcore87,

    It’s highly unlikely that your problem with google authenticator comes from NoMachine. Did you check if it’s possible to authenticate with authenticator code using different service, e.g. SSH? Can you check for presence of .google_authenticator~ file in user’s home directory? It’s known that if this file exists, it can prevent the authentication.

    #15820
    Solidcore87
    Participant

    I will test 2fa with ssh tomorrow, no .google_authenticator~

    So I notice now testing if I remove the 2fa line from the nx Pam config then I can log in fine with username/password. If I add the 2fa line back in the nx Pam I can’t log in with username/password, it errors with

    Authentication failed, please try again. When joining a domain, don’t forget to specify the username as domain\user.”

    I don’t have s domain set and only one user account on the computer.

    #15825
    Solidcore87
    Participant

    Tested with ssh and 2fa. That works fine with my google authenticator.

    I then turned off the google 2fa in nx pam file. Logged in with my username (manny) and password fine; sends me right to my desktop.

    I then turned back on 2fa in the nx pam file, tried to log in and it failed; telling me this here “authentication failed, please try again”. (Now, this is a different error then it has been telling me. Which has been “Authentication failed, please try again. When joining a domain, don’t forget to specify the username as domain\user.” This device is not part of a domain at all.)

    After the last failed login I checked the logs at “/usr/NX/var/log/nxserver.log”. Which tells me>

     

    768 2017-09-19 20:29:55 340.626  3025 NXSERVER WARNING! Process ‘/usr/NX/bin/nxexec –auth’ with pid ‘3047/3047’ finished with exit co    de 1 after 1,911 seconds.

    769 2017-09-19 20:29:55 341.362  3025 NXSERVER ERROR! Error while trying to authenticate user: manny using authentication method passw    ord. NXNssUserManager::auth returned 1

    770 2017-09-19 20:29:55 341.933  3025 NXSERVER ERROR! wrong ‘nxexec authentication’ for user ‘manny’ from ‘10.0.0.77’.

    771 2017-09-19 20:29:55 342.199  3025 NXSERVER ERROR! Sending error message ‘NX> 404 ERROR: Wrong password or Login.’

    772 2017-09-19 20:30:17 025.940  3051 NXSERVER WARNING! Cannot write to FD#8.

    773 2017-09-19 20:30:17 026.353  3051 NXSERVER WARNING! Error is: 32, ‘Broken pipe’.

    774 2017-09-19 20:30:17 026.937  3051 NXSERVER ERROR! username is not in the expected format.

    #15829
    Cato
    Participant

    Hello Solidcore87,

    Start terminal as non-root user, enter ‘/usr/NX/bin’ directory and run ‘./nxexec –auth’ command. This will start authentication process. Can you successfully authenticate here? Gather the output of command, remember to obscure sensitive information. Additionally, gather NoMachine server logs according to https://www.nomachine.com/DT07M00098#1. Send logs and command output to forum[at]nomachine[dot]com.

    #16011
    Solidcore87
    Participant

    Sorry about the late response. I will be collecting the log files in the next few days.

    Thank you for working with me. I really would like this working.

    #16015
    Britgirl
    Keymaster

    We’ll monitor for logs from you 🙂

    #16058
    Solidcore87
    Participant

    Was able to get it working. Loaded a backup of my pam.d folder and it’s now working. I think it was the “required” parameter in the nx Pam file.

Viewing 8 posts - 1 through 8 (of 8 total)

This topic was marked as solved, you can't post.