[SOLVED] Failed to verify TOTP challenge

C

cglmicro

Member
Oct 12, 2020
101
11
23
51
Hi.
On one of my PBS, the 2FA (TOTP) stopped working.
I had to SSH and "mv /etc/proxmox-backup/tfa.json /etc/proxmox-backup/tfa.json_backup" to be able to log back in.
Now I'm trying to add 2FA again in PBS > CONFIGURATION ACCESS CONTROL > TWO FACTOR AUTHENTICATION, but I always get "FAILED TO VERIFIEY TOTP CHALLENGE" when I scan the code and I try to verify it.

Any idea where I can start my tests ?
 
Hi,
cglmicro said:
I had to SSH and "mv /etc/proxmox-backup/tfa.json /etc/proxmox-backup/tfa.json_backup" to be able to log back in.
Click to expand...
FYI, there's pveum user tfa delete <userid> too to avoid deleting all of the users second factors, but just one of them (for multi user PVE setups).

cglmicro said:
Any idea where I can start my tests ?
Click to expand...
Is the time synchronised on the server, e.g., check systemctl status chrony (chrony is our default NTP daemon since a while, but there could be others too for older installations or if got manually switched). For a quick check it may be enough to execute the date command.

If that's not the case then a full pveversion -v output plus details about the TOTP client used and possibly journal/syslog entries around the time of login could be interesting. Also, any recent upgrade done or other change made in the setup or its environment?
 
You are probably right.
Chrony is not installed on my server, but NTP is and it's not working:
Code: 
root@pbs102:~# systemctl status ntp
● ntp.service
     Loaded: masked (Reason: Unit ntp.service is masked.)
     Active: failed (Result: exit-code) since Thu 2022-06-30 16:45:17 EDT; 1min 53s ago
        CPU: 15ms

Jun 30 16:45:17 pbs102 systemd[1]: Starting Network Time Service...
Jun 30 16:45:17 pbs102 systemd[1]: ntp.service: Control process exited, code=exited, status=1/FAILURE
Jun 30 16:45:17 pbs102 systemd[1]: ntp.service: Failed with result 'exit-code'.
Jun 30 16:45:17 pbs102 systemd[1]: Failed to start Network Time Service.
Code: 
root@pbs102:~# systemctl start ntp
Failed to start ntp.service: Unit ntp.service is masked.

root@pbs102:~# journalctl -xe | grep ntp
Jun 30 16:45:17 pbs102 systemd[1]: ntp.service: Control process exited, code=exited, status=1/FAILURE
░░ An ExecStart= process belonging to unit ntp.service has exited.
Jun 30 16:45:17 pbs102 systemd[1]: ntp.service: Failed with result 'exit-code'.
░░ The unit ntp.service has entered the 'failed' state with result 'exit-code'.
░░ Subject: A start job for unit ntp.service has failed
░░ A start job for unit ntp.service has finished with a failure.
Jun 30 16:45:17 pbs102 kernel: audit: type=1400 audit(1656621917.631:32): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=4061380 comm="ntpd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
Jun 30 16:45:17 pbs102 kernel: audit: type=1400 audit(1656621917.631:33): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=4061380 comm="ntpd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
Jun 30 16:45:17 pbs102 kernel: audit: type=1400 audit(1656621917.631:34): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=4061380 comm="ntpd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
Jun 30 16:45:17 pbs102 kernel: audit: type=1400 audit(1656621917.631:35): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=4061380 comm="ntpd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
Jun 30 16:45:17 pbs102 kernel: audit: type=1400 audit(1656621917.631:36): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" p

Thank you.
 
SOLVED !
It was a conflict with APPARMOR solved with this:
Code: 
ln -s /etc/apparmor.d/usr.sbin.ntpd /etc/apparmor.d/disable/ 
apparmor_parser -R /etc/apparmor.d/usr.sbin.ntpd
 
I had problems because the Hetzner firewall didn't let through NTP, so it looks like, only Hetzner's NTP works:
ntp1.hetzner.de
ntp2.hetzner.com
ntp3.hetzner.net
Then it stopped working after the time change - for ssh (pam) it was enough to set the time back locally to get the correct TOTP, but on the web the TOTP was blocked.
Thanks to the post I found the correct solution;
pveum user tfa unlock <user-id>
To see the Lock, use;
pveum user list
Thanks :)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back