Google Authenticator reset

Ask questions about your Access Server configuration here.
Post Reply
mangaskahn
OpenVpn Newbie
Posts: 1
Joined: Wed Mar 19, 2014 6:42 pm

Google Authenticator reset

Post by mangaskahn » Wed Mar 19, 2014 6:53 pm

I have a user who was configured to use Google Authenticator who got a new phone and needs to move their token to it. Can anyone tell me how I can reset their account so that they can rescan the QR code? I have been through every page of the admin interface and don't see an option to reset a user's secret. I even tried disabling GA on the server and re-enabling it hoping it would possibly reset all of the users. Any thoughts?

Linqan
OpenVpn Newbie
Posts: 1
Joined: Tue Apr 15, 2014 12:13 pm

Re: Google Authenticator reset

Post by Linqan » Tue Apr 15, 2014 12:19 pm

I too been looking into this without any result.

casey.richins
OpenVpn Newbie
Posts: 1
Joined: Thu Apr 17, 2014 6:18 pm

Re: Google Authenticator reset

Post by casey.richins » Thu Apr 17, 2014 6:31 pm

If you are using OpenVPN Access Server you can disable the google auth on a per user basis by modifying the user database directly. There are a number of scripts located in /usr/local/openvpn_as/scripts (debian default), one of the commands that allows database modification/viewing is 'confdba'. This is how I disabled the auth temporarly on a user. You could also use the dba command tool to retrive the authenticator secret, due to it not being stored in encrypted fashion. While passwords are encrypted/hashed in db, the google auth secret is not.

Code: Select all

# cd  /usr/local/openvpn_as/scripts
# ./confdba -us -p <username> # Retrive current user properties
# ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p <username>  # Disable Google Auth for User
After executing the above, the user should be able to login to the web connect to retrieve their google auth app, or rescan their qr code. BE VERY CAREFUL when modifying the database, you could seriously screw up your database if you don't know what you're doing, requiring a complete reinstall.

OKBdrift
OpenVpn Newbie
Posts: 1
Joined: Thu Apr 30, 2015 8:08 am

Re: Google Authenticator reset

Post by OKBdrift » Thu Apr 30, 2015 8:11 am

Thanks alot for this explanation, casey.richins.

shadowlesshand
OpenVpn Newbie
Posts: 1
Joined: Tue Jun 06, 2017 6:43 pm

Re: Google Authenticator reset

Post by shadowlesshand » Tue Jun 06, 2017 6:50 pm

I know this is an old post but this comes up as one of the only results to a search for how to deal with a user who needs to rescan his Google Authenticator key.

Here's a relevant link to a number of cli commands which can address common issues when using Google Authenticator with OpenVPN:
Google Authenticator FAQ

In order to reset a user's GA credentials to allow them to login and scan a new QR code the command would be:

Code: Select all

./sacli -u <USER> GoogleAuthRegen
On my host the sacli command is located in: /usr/local/openvpn_as/scripts/

Post Reply