I found a bug in sshd. i configured my ssh to use both key and password ( and PAM) . recently i underestood it asks for the password but accept any thing! any idea? why?
this is /etc/ssh/ssd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
PasswordAuthentication yes
KbdInteractiveAuthentication no
PermitRootLogin no
UsePAM yes
Banner /etc/ssh/motd
Subsystem sftp /usr/lib/ssh/sftp-server
AuthenticationMethods publickey,password
StreamLocalBindUnlink yes
Include /etc/ssh/sshd_groups
i expect when it asks for password authorize that and doesn't accept any wrong password. but it accept all kinds of password!
Related
So I've been reading up on configuring a CentOS 7 machine for 2 factor authentication for SSH, using pam_oath and the FreeOTP phone app, plus local usernames/password for the two factors. I've read various online articles, and all seem to follow the basic instructions listed in the following articles:
https://wiki.archlinux.org/index.php/Pam_oath
https://jonarcher.info/2015/07/hardening-ssh-with-otp-for-2-factor-authentication/
https://www.brianlane.com/post/setup-oath-ssh-login-on-fedora/
Before I do this on my main CentOS machine, I spun up a VirtualBox VM for testing, and did a minimum CentOS 7 install. I followed the instructions, and I get prompted for "One-time password (OATH)" credentials, but I noticed that I can input any alphanumeric string that's 6 characters or less for the OATH password, and it will then prompt me for my local username/password. And as long as I enter the local password correctly, I'm granted shell access.
Here are the steps I followed after the initial minimal CentOS 7 install (CentOS Linux release 7.7.1908 (Core)):
Install packages
yum update && yum upgrade
yum install epel-release
yum install pam_oath oathtool gen-oath-safe
edit /etc/pam.d/sshd, and added the following line as the first non-commented line:
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
So first few lines of the /etc/pam.d/sshd look like this before:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
And after:
#%PAM-1.0
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
generate keys for my local account:
gen-oath-safe jdoe hotp
Add key to FreeOTP app on phone via QR code
Add the hex code to /etc/liboath/users.oath:
HOTP jdoe - REDACTED
edit the /etc/ssh/sshd_config file and make sure the following settings are in place:
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
set SELinux permissions on /etc/liboath:
semanage fcontext -a -t systemd_passwd_var_run_t '/etc/liboath(/.*)?'
restorecon -rv /etc/liboath/
Restart SSH:
systemctl restart sshd
So when I SSH into this host, and enter any string 6 characters or less, I'm let through to login with the local password:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
Password:
End of keyboard-interactive prompts from server
Last login: Sun Mar 22 18:03:08 2020 from REDACTED
[jdoe#pkcentos7 ~]
If I enter a string 7 characters or more for the OATH password, the following occurs:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
I've looked through various other articles returned from Google searches, and I don't clearly see a step or setting I'm missing.
Any help on this would be greatly appreciated. Thanks in advance, and if any additional information is needed, please let me know.
Paul
Change pam module control from sufficient to [success=done new_authtok_reqd=done default=die]
My pam line looks like:
auth [success=done new_authtok_reqd=done default=die] pam_oath.so usersfile=/etc/users.oath
sshd_config:
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive:pam
UsePAM yes
ChallengeResponseAuthentication yes
Thanks for the reply! From looking at your sshd_config file, I assume that you're using a public key as part of the 2FA on your system. So I tweaked what you have above to work on my test system:
1) /etc/pam.d/sshd
auth [success=ok new_authtok_reqd=ok default=die] pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
2) /etc/sshd/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods keyboard-interactive:pam
Here's what the output from the SSH login process after this change, where I:
1) purposely entered one-time password wrong
2) entered correct one-time, but wrong account password
3) correct one-time password, then correct account password
login as: jdoe
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Last failed login: Thu Apr 16 10:55:39 EDT 2020 from REDACTED on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Apr 16 10:54:59 2020 from REDACTED
[jdoe#pkcentos7 ~]$
I would like to login ssh without password and key.
I have some specific settings on the sshd_config,
PasswordAuthentication yes
PermitEmptyPasswords yes
AllowUsers admin
AuthenticationMethods password
KbdInteractiveAuthentication no
But I was still asked for password. Is there a method to do that?
you need to allow anonymous or guest login and make the password empty.
here is a topic that can answer your question.
this is what I need to realize:
keybased passwordless authentication for user root
passwordbased authentication for any other user than root
Server I need to have access to is running Debian 9 (stretch).
On my client I have I have created a keypair like this: ssh-keygen
This created the following files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.
Now I copied the content of ~/.ssh/id_rsa.pub into /root/.ssh/authorized_keys on the server and modified the keyfile with permission 600.
Then I modified the /etc/ssh/sshd_config on server by setting the following values:
PermitRootLogin without-password
PubkeyAuthentication yes
Now I restarted ssh service on server and tried the connection by ssh root#sub.domain.tld.
It still ends in password prompt for user root.
The outcome of ssh -vvv root#sub.domain.tld you can find here (Ubuntu Pastebin).
What did I miss to modify?
Kind regards
//neph
You should follow this tutorial, there's a lot of outdated ones. It worked for me on Ubuntu 19.04.
All you have to do is:
apt-get install libpam-google-authenticator.
Users who want to continue using ssh must each run the command google-authenticator. This tool interatively helps you to create the file ~/.google_authenticator, which contains a shared secret and emergency passcodes. It's a terminal application, but it does still display a QR code for quick loading of the shared secret into your two factor device (in my case, this is the Google Authenticator app on my Android smartphone).
Edit /etc/ssh/sshd_config. Set:
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
In case you have changed them in the past, you should also check the following two settings (these are both defaults on Ubuntu):
UsePAM yes
PubkeyAuthentication yes
Run sudo service ssh reload to pick up your changes to /etc/ssh/sshd_config.
Edit /etc/pam.d/sshd and replace the line:
#include common-auth
with:
auth required pam_google_authenticator.so
That's it! Now ssh logins will require a key, and after your key is verified will additionally require proof that you hold your second factor device.
I'm working on an embedded board (i.MX6) with a Yocto-based embedded Linux. So far I used Dropbear as SSH server. However, Dropbear doesn't provide an SFTP server, which I need. Therefore I switched from Dropbear to OpenSSH (built it from the standard Poky sources, and installed it via opkg).
However, since then I cannot login to the board via SSH anymore, because the server asks for a password, which I don't know. The only user is root, and it has no password configured (this is still true, because I can log in locally via RS232 without problems). Why does OpenSSH ask for a password? How can I remove that?
I thought that maybe there's a passphrase set in one of the private keys in /etc/ssh:
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key
So I did ssh-keygen -p -f /etc/ssh/ssh_host_rsa_key respectively for each of them, but it didn't help.
This is the essential pieces of the sshd_config file:
# grep '^[^#]' /etc/ssh/sshd_config
Protocol 2
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
UsePrivilegeSeparation sandbox # Default for new installations.
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
Subsystem sftp /usr/lib/openssh/sftp-server
Any ideas?
Are you sure that you have debug-tweaks in your IMAGE_FEATURES or EXTRA_IMAGE_FEATURES?
If so, the ROOTFS_POSTPROCESS_COMMAND should include ssh_allow_empty_password(); which in turns should set PermitEmptyPasswords yes in /etc/ssh/sshd_config and /etc/ssh/sshd_config_readonly. That should allow you to use empty passwords with OpenSSH.
If you have "debug-tweaks" in your EXTRA_IMAGE_FEATURES then the password will be blank: this may be ok for development images.
If you want to have some security instead, you can either add a recipe that installs a public key to /root/.ssh/authorized_keys or use the extrausers class in an image recipe or local configuration to set the password.
I'm trying to configure my SSH server to require users to have an RSA key. To do this I have the settings in sshd_config set to
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
and
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
and
UsePAM no
Then I do sudo /etc/init.d/ssh restart to restart the server.
This seems to work to some degree, because I included my macs rsa_key and it lets me log in without asking for a password. However when I try to ssh in through a computer that I haven't included the key of, it just prompts me for my password, and then when entered, lets me in.
What am I doing wrong?
I'd say you're not reloading your ssh config correctly. Which Linux distribution/version are you using (assuming you're even using Linux)?
In Ubuntu I usually do:
sudo restart ssh
OR
sudo service ssh restart
Additionally, though not germane to this question - ideally root should not have a password - you should use be using sudo.
I think you also need
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin without-password
otherwise even if sshd does not ask itself for a password, it will trust PAM and login which will authenticate the user with its password.
While testing, make sure to have another way in in case a problem occurs with SSH...
And make sure you restart your server with /etc/init.d/sshd restart.