Google Authenticator reset

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
mangaskahn
OpenVpn Newbie
Posts: 1
Joined: Wed Mar 19, 2014 6:42 pm

Google Authenticator reset

Post by mangaskahn » Wed Mar 19, 2014 6:53 pm

I have a user who was configured to use Google Authenticator who got a new phone and needs to move their token to it. Can anyone tell me how I can reset their account so that they can rescan the QR code? I have been through every page of the admin interface and don't see an option to reset a user's secret. I even tried disabling GA on the server and re-enabling it hoping it would possibly reset all of the users. Any thoughts?

Linqan
OpenVpn Newbie
Posts: 1
Joined: Tue Apr 15, 2014 12:13 pm

Re: Google Authenticator reset

Post by Linqan » Tue Apr 15, 2014 12:19 pm

I too been looking into this without any result.

casey.richins
OpenVpn Newbie
Posts: 1
Joined: Thu Apr 17, 2014 6:18 pm

Re: Google Authenticator reset

Post by casey.richins » Thu Apr 17, 2014 6:31 pm

If you are using OpenVPN Access Server you can disable the google auth on a per user basis by modifying the user database directly. There are a number of scripts located in /usr/local/openvpn_as/scripts (debian default), one of the commands that allows database modification/viewing is 'confdba'. This is how I disabled the auth temporarly on a user. You could also use the dba command tool to retrive the authenticator secret, due to it not being stored in encrypted fashion. While passwords are encrypted/hashed in db, the google auth secret is not.

Code: Select all

# cd  /usr/local/openvpn_as/scripts
# ./confdba -us -p <username> # Retrive current user properties
# ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p <username>  # Disable Google Auth for User
After executing the above, the user should be able to login to the web connect to retrieve their google auth app, or rescan their qr code. BE VERY CAREFUL when modifying the database, you could seriously screw up your database if you don't know what you're doing, requiring a complete reinstall.

OKBdrift
OpenVpn Newbie
Posts: 1
Joined: Thu Apr 30, 2015 8:08 am

Re: Google Authenticator reset

Post by OKBdrift » Thu Apr 30, 2015 8:11 am

Thanks alot for this explanation, casey.richins.

shadowlesshand
OpenVpn Newbie
Posts: 1
Joined: Tue Jun 06, 2017 6:43 pm

Re: Google Authenticator reset

Post by shadowlesshand » Tue Jun 06, 2017 6:50 pm

I know this is an old post but this comes up as one of the only results to a search for how to deal with a user who needs to rescan his Google Authenticator key.

Here's a relevant link to a number of cli commands which can address common issues when using Google Authenticator with OpenVPN:
Google Authenticator FAQ

In order to reset a user's GA credentials to allow them to login and scan a new QR code the command would be:

Code: Select all

./sacli -u <USER> GoogleAuthRegen
On my host the sacli command is located in: /usr/local/openvpn_as/scripts/

openvpnuser8
OpenVpn Newbie
Posts: 1
Joined: Sat Oct 28, 2017 5:55 am

Re: Google Authenticator reset

Post by openvpnuser8 » Sat Oct 28, 2017 5:58 am

I hope that this will help anyone using OpenVPN AS on Ubuntu 16.04 in AWS to reset Google Authenticator for an OpenVPN user:

Code: Select all

cd /usr/local/openvpn_as/scripts/ # Go to OpenVPN AS Scripts directory
sudo ./sacli --user USERNAME GoogleAuthRegen # Replace USERNAME with username to get a new Google Authenticator Secret 

leonembark
OpenVpn Newbie
Posts: 1
Joined: Tue Mar 13, 2018 4:49 pm

Re: Google Authenticator reset

Post by leonembark » Tue Mar 13, 2018 4:52 pm

I user the above `./sacli` command to successfully reset Google Authenticator for a user, but neither connecting normally or logging into the admin require the use of the Google Authenticator code. They just log straight in.

Am I missing something?

mbeck
OpenVpn Newbie
Posts: 1
Joined: Thu Jul 05, 2018 3:23 pm

Re: Google Authenticator reset

Post by mbeck » Thu Jul 05, 2018 3:36 pm

leonembark, I'll put the steps I used below to help a user with a new phone obtain a new GA code.
  • ssh into the openvpn server

Code: Select all

cd /usr/local/openvpn_as/scripts/
sudo ./sacli --user <USER> GoogleAuthRegen
  • Tell the user to logout (if logged in) and use to login and scan the QR code to finaize setup of MFA
  • After they scanned the QR code with the new device, they should click the button on the bottom of the screen "I scanned the QR code"
  • This should return the user to the login page listed above with the prompt saying "Ready to connect with Google Authenticator code"
  • Have the user login with new MFA code
One last thing, have the user remove the old GA code associated with the old device, as this will serve to eliminate confusion going forward.

bthurber
OpenVpn Newbie
Posts: 15
Joined: Thu May 25, 2017 12:21 pm

Re: Google Authenticator reset

Post by bthurber » Wed Jul 25, 2018 10:55 am

For those of you on AWS, here's a nifty AWS Sytems Manager Document that can be used to unlock Google Authenticator for a user. Simply add this Document to Systems Manager and Run it with an instance and the username of the user to unlock. This requires installation of the SSM agent on each OpenVPN instance. You'll probably need to read up on the AWS Systems Manager docs but it is well worth it for this and a whole host of other use cases.

Systems Manager Doc to Unlock Google Authenticator

Code: Select all

{
	"schemaVersion": "2.2",
	"description": "Unlock the Google Authenticator for a given Username. After doing this, the user must login to the OpenVPN server with their browser and scan the barcode.",
	"parameters": {
		"Username": {
			"description": "Username of the user to unlock",
            "minChars": 3,
			"type": "String"
		}
	},
	"mainSteps": [
		{
			"action": "aws:runShellScript",
			"name": "OpenVPNASUnlockGoogleAuthenticator",
			"inputs": {
				"runCommand": [
					"#!/bin/bash",
					"cd /usr/local/openvpn_as/scripts",
                    "./sacli -u {{ Username }} --lock 0 GoogleAuthLock"
				]
			},
            "precondition":{
                "StringEquals":[
                    "platformType",
                    "Linux"
                ]
            }
		}
   ]
}

AWS SSM agent install

Code: Select all

            cd /tmp
            wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
            dpkg -i amazon-ssm-agent.deb
            rm amazon-ssm-agent.deb
            systemctl enable amazon-ssm-agent

sparrow_hawk
OpenVpn Newbie
Posts: 2
Joined: Mon Jun 26, 2017 11:39 am

Re: Google Authenticator reset

Post by sparrow_hawk » Wed Oct 23, 2019 1:17 pm

Put this in the Web GUI, please!

VinceBD
OpenVpn Newbie
Posts: 1
Joined: Tue Oct 12, 2021 12:49 pm

Re: Google Authenticator reset

Post by VinceBD » Tue Oct 12, 2021 1:30 pm

Everytime I searched for this, I only found old replies, so I figured, I'd give this as an update reply.

If you log into your OpenVPN web GUI and go to the Admin page and login there, you can access User Management > User Permissions. If you find the username of the person needing a new QR code, you can simply click the check box under the "Delete" column next to their name. Scroll to the bottom and click "Save Settings". Then scroll back to the top and click "Update Running Server".

This should remove the user from your currently running OpenVPN server. The user can then log back into the web portal to receive a new QR code.

Hope this helps!

jonathan.boucard
OpenVpn Newbie
Posts: 1
Joined: Wed Mar 02, 2022 10:24 am

Re: Google Authenticator reset

Post by jonathan.boucard » Wed Mar 02, 2022 10:33 am

VinceBD wrote:
Tue Oct 12, 2021 1:30 pm
Everytime I searched for this, I only found old replies, so I figured, I'd give this as an update reply.

If you log into your OpenVPN web GUI and go to the Admin page and login there, you can access User Management > User Permissions. If you find the username of the person needing a new QR code, you can simply click the check box under the "Delete" column next to their name. Scroll to the bottom and click "Save Settings". Then scroll back to the top and click "Update Running Server".

This should remove the user from your currently running OpenVPN server. The user can then log back into the web portal to receive a new QR code.

Hope this helps!
This is what I just had to do for a user who had a new phone and the Microsoft Authenticator needed re-registering - delete the user account, save, update running server in the Admin panel and ask them to log back in. The QR code was then presented and the new iPhone was registered and all was good. Thank you VinceBD :)

Post Reply