Google Authenticator reset

Ask questions about your Access Server configuration here.
Post Reply
mangaskahn
OpenVpn Newbie
Posts: 1
Joined: Wed Mar 19, 2014 6:42 pm

Google Authenticator reset

Post by mangaskahn » Wed Mar 19, 2014 6:53 pm

I have a user who was configured to use Google Authenticator who got a new phone and needs to move their token to it. Can anyone tell me how I can reset their account so that they can rescan the QR code? I have been through every page of the admin interface and don't see an option to reset a user's secret. I even tried disabling GA on the server and re-enabling it hoping it would possibly reset all of the users. Any thoughts?

Linqan
OpenVpn Newbie
Posts: 1
Joined: Tue Apr 15, 2014 12:13 pm

Re: Google Authenticator reset

Post by Linqan » Tue Apr 15, 2014 12:19 pm

I too been looking into this without any result.

casey.richins
OpenVpn Newbie
Posts: 1
Joined: Thu Apr 17, 2014 6:18 pm

Re: Google Authenticator reset

Post by casey.richins » Thu Apr 17, 2014 6:31 pm

If you are using OpenVPN Access Server you can disable the google auth on a per user basis by modifying the user database directly. There are a number of scripts located in /usr/local/openvpn_as/scripts (debian default), one of the commands that allows database modification/viewing is 'confdba'. This is how I disabled the auth temporarly on a user. You could also use the dba command tool to retrive the authenticator secret, due to it not being stored in encrypted fashion. While passwords are encrypted/hashed in db, the google auth secret is not.

Code: Select all

# cd  /usr/local/openvpn_as/scripts
# ./confdba -us -p <username> # Retrive current user properties
# ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p <username>  # Disable Google Auth for User
After executing the above, the user should be able to login to the web connect to retrieve their google auth app, or rescan their qr code. BE VERY CAREFUL when modifying the database, you could seriously screw up your database if you don't know what you're doing, requiring a complete reinstall.

OKBdrift
OpenVpn Newbie
Posts: 1
Joined: Thu Apr 30, 2015 8:08 am

Re: Google Authenticator reset

Post by OKBdrift » Thu Apr 30, 2015 8:11 am

Thanks alot for this explanation, casey.richins.

shadowlesshand
OpenVpn Newbie
Posts: 1
Joined: Tue Jun 06, 2017 6:43 pm

Re: Google Authenticator reset

Post by shadowlesshand » Tue Jun 06, 2017 6:50 pm

I know this is an old post but this comes up as one of the only results to a search for how to deal with a user who needs to rescan his Google Authenticator key.

Here's a relevant link to a number of cli commands which can address common issues when using Google Authenticator with OpenVPN:
Google Authenticator FAQ

In order to reset a user's GA credentials to allow them to login and scan a new QR code the command would be:

Code: Select all

./sacli -u <USER> GoogleAuthRegen
On my host the sacli command is located in: /usr/local/openvpn_as/scripts/

openvpnuser8
OpenVpn Newbie
Posts: 1
Joined: Sat Oct 28, 2017 5:55 am

Re: Google Authenticator reset

Post by openvpnuser8 » Sat Oct 28, 2017 5:58 am

I hope that this will help anyone using OpenVPN AS on Ubuntu 16.04 in AWS to reset Google Authenticator for an OpenVPN user:

Code: Select all

cd /usr/local/openvpn_as/scripts/ # Go to OpenVPN AS Scripts directory
sudo ./sacli --user USERNAME GoogleAuthRegen # Replace USERNAME with username to get a new Google Authenticator Secret 

leonembark
OpenVpn Newbie
Posts: 1
Joined: Tue Mar 13, 2018 4:49 pm

Re: Google Authenticator reset

Post by leonembark » Tue Mar 13, 2018 4:52 pm

I user the above `./sacli` command to successfully reset Google Authenticator for a user, but neither connecting normally or logging into the admin require the use of the Google Authenticator code. They just log straight in.

Am I missing something?

mbeck
OpenVpn Newbie
Posts: 1
Joined: Thu Jul 05, 2018 3:23 pm

Re: Google Authenticator reset

Post by mbeck » Thu Jul 05, 2018 3:36 pm

leonembark, I'll put the steps I used below to help a user with a new phone obtain a new GA code.
  • ssh into the openvpn server

Code: Select all

cd /usr/local/openvpn_as/scripts/
sudo ./sacli --user <USER> GoogleAuthRegen
  • Tell the user to logout (if logged in) and use to login and scan the QR code to finaize setup of MFA
  • After they scanned the QR code with the new device, they should click the button on the bottom of the screen "I scanned the QR code"
  • This should return the user to the login page listed above with the prompt saying "Ready to connect with Google Authenticator code"
  • Have the user login with new MFA code
One last thing, have the user remove the old GA code associated with the old device, as this will serve to eliminate confusion going forward.

bthurber
OpenVpn Newbie
Posts: 8
Joined: Thu May 25, 2017 12:21 pm

Re: Google Authenticator reset

Post by bthurber » Wed Jul 25, 2018 10:55 am

For those of you on AWS, here's a nifty AWS Sytems Manager Document that can be used to unlock Google Authenticator for a user. Simply add this Document to Systems Manager and Run it with an instance and the username of the user to unlock. This requires installation of the SSM agent on each OpenVPN instance. You'll probably need to read up on the AWS Systems Manager docs but it is well worth it for this and a whole host of other use cases.

Systems Manager Doc to Unlock Google Authenticator

Code: Select all

{
	"schemaVersion": "2.2",
	"description": "Unlock the Google Authenticator for a given Username. After doing this, the user must login to the OpenVPN server with their browser and scan the barcode.",
	"parameters": {
		"Username": {
			"description": "Username of the user to unlock",
            "minChars": 3,
			"type": "String"
		}
	},
	"mainSteps": [
		{
			"action": "aws:runShellScript",
			"name": "OpenVPNASUnlockGoogleAuthenticator",
			"inputs": {
				"runCommand": [
					"#!/bin/bash",
					"cd /usr/local/openvpn_as/scripts",
                    "./sacli -u {{ Username }} --lock 0 GoogleAuthLock"
				]
			},
            "precondition":{
                "StringEquals":[
                    "platformType",
                    "Linux"
                ]
            }
		}
   ]
}

AWS SSM agent install

Code: Select all

            cd /tmp
            wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
            dpkg -i amazon-ssm-agent.deb
            rm amazon-ssm-agent.deb
            systemctl enable amazon-ssm-agent

Post Reply