Google Authenticator reset
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Mar 19, 2014 6:42 pm
Google Authenticator reset
I have a user who was configured to use Google Authenticator who got a new phone and needs to move their token to it. Can anyone tell me how I can reset their account so that they can rescan the QR code? I have been through every page of the admin interface and don't see an option to reset a user's secret. I even tried disabling GA on the server and re-enabling it hoping it would possibly reset all of the users. Any thoughts?
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Apr 15, 2014 12:13 pm
Re: Google Authenticator reset
I too been looking into this without any result.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Apr 17, 2014 6:18 pm
Re: Google Authenticator reset
If you are using OpenVPN Access Server you can disable the google auth on a per user basis by modifying the user database directly. There are a number of scripts located in /usr/local/openvpn_as/scripts (debian default), one of the commands that allows database modification/viewing is 'confdba'. This is how I disabled the auth temporarly on a user. You could also use the dba command tool to retrive the authenticator secret, due to it not being stored in encrypted fashion. While passwords are encrypted/hashed in db, the google auth secret is not.
After executing the above, the user should be able to login to the web connect to retrieve their google auth app, or rescan their qr code. BE VERY CAREFUL when modifying the database, you could seriously screw up your database if you don't know what you're doing, requiring a complete reinstall.
Code: Select all
# cd /usr/local/openvpn_as/scripts
# ./confdba -us -p <username> # Retrive current user properties
# ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p <username> # Disable Google Auth for User
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Apr 30, 2015 8:08 am
Re: Google Authenticator reset
Thanks alot for this explanation, casey.richins.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Jun 06, 2017 6:43 pm
Re: Google Authenticator reset
I know this is an old post but this comes up as one of the only results to a search for how to deal with a user who needs to rescan his Google Authenticator key.
Here's a relevant link to a number of cli commands which can address common issues when using Google Authenticator with OpenVPN:
Google Authenticator FAQ
In order to reset a user's GA credentials to allow them to login and scan a new QR code the command would be:
On my host the sacli command is located in: /usr/local/openvpn_as/scripts/
Here's a relevant link to a number of cli commands which can address common issues when using Google Authenticator with OpenVPN:
Google Authenticator FAQ
In order to reset a user's GA credentials to allow them to login and scan a new QR code the command would be:
Code: Select all
./sacli -u <USER> GoogleAuthRegen
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sat Oct 28, 2017 5:55 am
Re: Google Authenticator reset
I hope that this will help anyone using OpenVPN AS on Ubuntu 16.04 in AWS to reset Google Authenticator for an OpenVPN user:
Code: Select all
cd /usr/local/openvpn_as/scripts/ # Go to OpenVPN AS Scripts directory
sudo ./sacli --user USERNAME GoogleAuthRegen # Replace USERNAME with username to get a new Google Authenticator Secret
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Mar 13, 2018 4:49 pm
Re: Google Authenticator reset
I user the above `./sacli` command to successfully reset Google Authenticator for a user, but neither connecting normally or logging into the admin require the use of the Google Authenticator code. They just log straight in.
Am I missing something?
Am I missing something?
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Jul 05, 2018 3:23 pm
Re: Google Authenticator reset
leonembark, I'll put the steps I used below to help a user with a new phone obtain a new GA code.
- ssh into the openvpn server
Code: Select all
cd /usr/local/openvpn_as/scripts/
sudo ./sacli --user <USER> GoogleAuthRegen
- Tell the user to logout (if logged in) and use to login and scan the QR code to finaize setup of MFA
- After they scanned the QR code with the new device, they should click the button on the bottom of the screen "I scanned the QR code"
- This should return the user to the login page listed above with the prompt saying "Ready to connect with Google Authenticator code"
- Have the user login with new MFA code
-
- OpenVpn Newbie
- Posts: 15
- Joined: Thu May 25, 2017 12:21 pm
Re: Google Authenticator reset
For those of you on AWS, here's a nifty AWS Sytems Manager Document that can be used to unlock Google Authenticator for a user. Simply add this Document to Systems Manager and Run it with an instance and the username of the user to unlock. This requires installation of the SSM agent on each OpenVPN instance. You'll probably need to read up on the AWS Systems Manager docs but it is well worth it for this and a whole host of other use cases.
Systems Manager Doc to Unlock Google Authenticator
AWS SSM agent install
Systems Manager Doc to Unlock Google Authenticator
Code: Select all
{
"schemaVersion": "2.2",
"description": "Unlock the Google Authenticator for a given Username. After doing this, the user must login to the OpenVPN server with their browser and scan the barcode.",
"parameters": {
"Username": {
"description": "Username of the user to unlock",
"minChars": 3,
"type": "String"
}
},
"mainSteps": [
{
"action": "aws:runShellScript",
"name": "OpenVPNASUnlockGoogleAuthenticator",
"inputs": {
"runCommand": [
"#!/bin/bash",
"cd /usr/local/openvpn_as/scripts",
"./sacli -u {{ Username }} --lock 0 GoogleAuthLock"
]
},
"precondition":{
"StringEquals":[
"platformType",
"Linux"
]
}
}
]
}
Code: Select all
cd /tmp
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
dpkg -i amazon-ssm-agent.deb
rm amazon-ssm-agent.deb
systemctl enable amazon-ssm-agent
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jun 26, 2017 11:39 am
Re: Google Authenticator reset
Put this in the Web GUI, please!
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Oct 12, 2021 12:49 pm
Re: Google Authenticator reset
Everytime I searched for this, I only found old replies, so I figured, I'd give this as an update reply.
If you log into your OpenVPN web GUI and go to the Admin page and login there, you can access User Management > User Permissions. If you find the username of the person needing a new QR code, you can simply click the check box under the "Delete" column next to their name. Scroll to the bottom and click "Save Settings". Then scroll back to the top and click "Update Running Server".
This should remove the user from your currently running OpenVPN server. The user can then log back into the web portal to receive a new QR code.
Hope this helps!
If you log into your OpenVPN web GUI and go to the Admin page and login there, you can access User Management > User Permissions. If you find the username of the person needing a new QR code, you can simply click the check box under the "Delete" column next to their name. Scroll to the bottom and click "Save Settings". Then scroll back to the top and click "Update Running Server".
This should remove the user from your currently running OpenVPN server. The user can then log back into the web portal to receive a new QR code.
Hope this helps!
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Mar 02, 2022 10:24 am
Re: Google Authenticator reset
This is what I just had to do for a user who had a new phone and the Microsoft Authenticator needed re-registering - delete the user account, save, update running server in the Admin panel and ask them to log back in. The QR code was then presented and the new iPhone was registered and all was good. Thank you VinceBDVinceBD wrote: ↑Tue Oct 12, 2021 1:30 pmEverytime I searched for this, I only found old replies, so I figured, I'd give this as an update reply.
If you log into your OpenVPN web GUI and go to the Admin page and login there, you can access User Management > User Permissions. If you find the username of the person needing a new QR code, you can simply click the check box under the "Delete" column next to their name. Scroll to the bottom and click "Save Settings". Then scroll back to the top and click "Update Running Server".
This should remove the user from your currently running OpenVPN server. The user can then log back into the web portal to receive a new QR code.
Hope this helps!