How to show the user a PAM module’s errors when attempting SSH authentication?

Siph

12/9/23, 10:21 PM

I have set up TOTP 2FA authentication on my VPS, mostly thanks to this answer.

I’ve been testing the authentication to see if my setup works as intended and it does, and when looking through /var/log/auth.log, I’ve noticed that the Google Authenticator PAM module logged its errors there, such as this one:

sshd(pam_google_authenticator)[4793]: Trying to reuse a previously used time-based code. ("/home/siph/.google_authenticator")Retry again in 30 seconds. Warning! This might mean, you are currently subject to a man-in-the-middle attack.

This looks like this is meant to be addressed to the user attempting to authenticate, however, when they make a failed attempt to log in, no message detailing the error is printed, and they are just prompted for their token again:

(siph@<host>) Verification code: 999999
(siph@<host>) Verification code:

Is there any way in the SSH or PAM configurations to change this behavior so those error messages are shown to the user? Or is there any reason why this wouldn’t be desirable?

Thank you.

125

0 + 0

ssh

authentication

pam

totp

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to show the user a PAM module’s errors when attempting SSH authentication?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.