I am using the Google authenticator PAM module with SSH login, my setup is working in my local setup, over my home network. But the when I install on public server, the time difference between the server and the client(the Google authenticator android app) is causing failure of OTP verification. I am using time based OTP codes, as the google authenticator PAM wiki says, if I enter the right OTP 3 times consecutively, then the server side PAM module calculates the time skew and corrects it for all future log in, it is working like that. But it will be a pain for every new user to enter the OTP 3 times, is there any work around?
I have OTP verification activated for my Gmail account, and that did not require me to enter the OTP three times. They must have done some changes to the google authenticator PAM module. Any pointers to solve this would be really helpful.
You can use event based tokens (HOTP), that do not require precise timing on both server and client. This is unfortunately supported by the google authenticator pam moudule, but there is also pam_oath from OATH toolkit which works quite fine with it. And all the applications (FreeOTP, Google authenticator) supports this option too.