I am trying to restrict SSH access to server.
I started by configuring access.conf
cat /etc/security/access.conf | grep -v "#"
+:root (admins):ALL
+:root:LOCAL
+:root:192.168.8.5
+:linuxuser:192.168.8.11
+:linuxuser:192.168.9.12
-:ALL:ALL
Also, I added the following line to login.
account required pam_access.so
cat /etc/pam.d/login
#%PAM-1.0
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# To SSH access restricted I added the bellow line.
account required pam_access.so
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
Unfortunately, it's still possible to ssh from other IP addresses.
who
linuxuserpts/1 2022-10-11 12:50 (192.168.8.20)
What did I do wrong? Perhaps I missed something? Any advice is welcome!
I run Centos9.
Later edit: I added
UsePAM yes
to sshd_config
Still doesnt work.
Thank You!
Related
We are currently doing a POC where, ssh-key pairs is not allowed, meaning, we have to use password with strict 90 days password expiration imposed. So, as part of POC, assume the username is "acme", which is, we have to log into "bastion.example.com" host (ssh acme#bastion.example.com), after logging into bastion, again we have to log into target host, yes - from bastion, we run "ssh acme#machine.example.com".
Question mark - using ~/.ssh/config, how do we achieve this especially using "password replay" so that we dont have to provide password twice. With this, we can easily pass the script or command to be executed on the target host (using proxyCommand and remoteCommand).
Please share an example where we can perform "password replay".
I have implemented 2 factor authentication on a remote server using google-authenticator. Login from the web console succeeds after password and single verification code queries. But login from ssh asks for verification code 2 times. Login is successful only if 2 successive totp codes are provided.
I have used ssh -v <user#remotehost> to verify that ssh publickey authentication is successful before the first query for verification code is made.
Config file /etc/ssh/sshd_config has the following settings:
# to restrict root login via ssh
PasswordAuthentication no
PermitRootLogin no
# to enable login via 2FA
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive
Config file /etc/pam.d/sshd has the following settings
# Standard Un*x authentication.
# #include common-auth
# for 2FA auth
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
Commenting out auth required pam_google_authenticator.so nullok in /etc/pam.d/sshd removes the duplicate challenge.
Running google_authenticator adds the pam module to /etc/pam.d/common-session making it unnecessary to add it to ssh also.
I'm using ansible to provision my Centos 7 produciton cluster. Unfortunately, execution of below command results with ansible Tiemout and Linux Pluggable Authentication Modules (pam) error conversation failed.
The same ansible command works well, executed against virtual lab mad out of vagrant boxes.
Ansible Command
$ ansible master_server -m yum -a 'name=vim state=installed' -b -K -u lukas -vvvv
123.123.123.123 | FAILED! => {
"msg": "Timeout (7s) waiting for privilege escalation prompt: \u001b[?1h\u001b=\r\r"
}
SSHd Log
# /var/log/secure
Aug 26 13:36:19 master_server sudo: pam_unix(sudo:auth): conversation failed
Aug 26 13:36:19 master_server sudo: pam_unix(sudo:auth): auth could not identify password for [lukas]
I've found the problem. It turned out to be PAM's auth module problem! Let me describe how I got to the solution.
Context:
I set up my machine for debugging - that is I had four terminal windows opened.
1st terminal (local machine): Here, I was executing ansible prduction_server -m yum -a 'name=vim state=installed' -b -K -u username
2nd terminal (production server): Here, I executed journalctl -f (system wide log).
3rd terminal (production server): Here, I executed tail -f /var/log/secure (log for sshd).
4th terminal (production server): Here, I was editing vi /etc/pam.d/sudo file.
Every time, I executed command from 1st terminal I got this errors:
# ansible error - on local machine
Timeout (7s) waiting for privilege escalation prompt error.
# sshd error - on remote machine
pam_unix(sudo:auth): conversation failed
pam_unix(sudo:auth): [username]
I showed my entire setup to my colleague, and he told me that the error had to do something with "PAM". Frankly, It was the first time that I've heard about PAM. So, I had to read this PAM Tutorial.
I figured out, that error relates to auth interface located in /etc/pam.d/sudo module. Diging over the internet, I stambled upon this pam_permit.so module with sufficient controll flag, that fixed my problem!
Solution
Basically, what I added was auth sufficient pam_permit.so line to /etc/pam.d/sudo file. Look at the example below.
$ cat /etc/pam.d/sudo
#%PAM-1.0
# Fixing ssh "auth could not identify password for [username]"
auth sufficient pam_permit.so
# Below is original config
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth
Conclusion:
I spent 4 days to arrive to this solution. I stumbled upon over a dozens solutions that did not worked for me, starting from "duplicated sudo password in ansible hosts/config file", "ldap specific configuration" to getting advice from always grumpy system admins!
Note:
Since, I'm not expert in PAM, I'm not aware if this fix affects other aspects of the system, so be cautious over blindly copy pasting this code! However, if you are expert on PAM please share with us alternative solutions or input. Thanks!
Assuming the lukas user is a local account, you should look at how the pam_unix.so module is declared in your system-auth pam file. But more information about the user account and pam configuration is necessary for a specific answer.
While adding auth sufficient pam_permit.so is enough to gain access. Using it in anything but the most insecure test environment would not be recommended. From the pam_permit man page:
pam_permit is a PAM module that always permit access. It does nothing
else.
So adding pam_permit.so as sufficient for authentication in this manner will completely bypass the security for all users.
Found myself in the same situation, tearing my hair out. In my case, hidden toward the end of the sudoers file, there was the line:
%sudo ALL=(ALL:ALL) ALL
This undoes authorizations that come before it. If you're not using the sudo group then this line can safely be deleted.
I had this error since upgrading sudo to version 1.9.4 with pacman. I hadn't noticed that pacman had provided a new sudoers file.
I just needed to merge /etc/sudoers.pacnew.
See here for more details: https://wiki.archlinux.org/index.php/Pacman/Pacnew_and_Pacsave
I know that this doesn't answer the original question (which pertains to a Centos system), but this is the top Google result for the error message, so I thought I'd leave my solution here in case anyone stumbles across this problem coming from an Arch Linux based operating system.
I got the same error when I tried to restart apache2 with sudo service apache2 restart
When logging into root I was able to see the real error lied with the configuration of apache2. Turned out I removed a site's SSL-Certificate files a few months ago but didn't disable the site in apache2. a2dissite did the trick.
I'm trying to enable LDAP authentication on Ubuntu using the guides below:
https://computingforgeeks.com/how-to-configure-ubuntu-18-04-ubuntu-16-04-lts-as-ldap-client/
https://help.ubuntu.com/community/LDAPClientAuthentication
https://www.youtube.com/watch?v=l0e8rG0mku8
Nothing seems to work so far. ldapsearch works, but I can't login or test with "id" and "getent" commands.
The only difference from the manuals is that I don't have ldap admin account and do not specify it, but I don't think this should break the rest.
Appreciate any suggestions on how to troubleshoot PAM and ldap client
cat /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
. . .
cat /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
sudo nano /etc/pam.d/common-auth
auth required pam_group.so use_first_pass
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
sudo nano /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha$
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_$
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
$ ldapsearch -x -H ldap://ldap.server.com -b ou=employee,o=test,c=an -LLL "(alias=test_username)" cn
dn: cn=Test User 5142,ou=employee,o=slb,c=an
cn: Test User
cn: Test User 5142
$su - test_username
No passwd entry for user 'test_username'
$ getent passwd test_username
$
From the provided information, it is seen that your LDAP server works properly, but it is not the case for the NSS module, which is your LDAP client. You should check that /etc/ldap.conf contains the correct search base and LDAP server URI. Alternatively, you can run sudo dpkg-reconfigure ldap-auth-config for interactive editing.
PAM seems to be configured correctly. If not, it always can be fixed by interactive utility pam-auth-update.
Additionally, all the guides that you follow suggest you to install libnss-ldap implementation. If you are going to use the desktop version of Ubuntu, be aware that there are known issues between systemd-logind and libnss-ldap. The solution is to use the newer package libnss-ldapd. See this answer for details.
I would like to enable 2 factor auth using google-authenticator when I SSH as root. Is it possible to set it up only for root but not for other non- root users? Or is it once setup, all users must have 2 factor. I am using Ubuntu 16.04.
Thanks
Once you have 2 factor setup for SSH on Ubuntu it will be required for all users who are using "password authentication", but as Key-Based Authentication takes priority (happens before password authentication) you can set that up for users who you do not want 2 factor for.
Then you can go ahead and simply specified that key-based authetication only be disabled for all users with the following in the sshd_config file:
PubkeyAuthentication no
And only enabled for specific users via
Match User <username>
PubkeyAuthentication yes
As an added security tip you can allow only spesific users with
AllowUsers <username> <username2>