I'm trying to enable 2fA authentification on my lighsail server, running ubuntu 20.04.
I installed google-authenticator and launched it, configured /etc/pam.d/sshd to add the following line :
auth required pam_google_authenticator.so
auth required pam_permit.so
and then /etc/ssh/sshd_config to set :
ChallengeResponseAuthentication yes
But then nothing happens. If I add the line :
AuthenticationMethods publickey,keyboard-interactive
Then the ssh client asks for a password that I don't have (I have a keypair, but no password).
What can I do to enable 2FA ?
Related
I have implemented 2 factor authentication on a remote server using google-authenticator. Login from the web console succeeds after password and single verification code queries. But login from ssh asks for verification code 2 times. Login is successful only if 2 successive totp codes are provided.
I have used ssh -v <user#remotehost> to verify that ssh publickey authentication is successful before the first query for verification code is made.
Config file /etc/ssh/sshd_config has the following settings:
# to restrict root login via ssh
PasswordAuthentication no
PermitRootLogin no
# to enable login via 2FA
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive
Config file /etc/pam.d/sshd has the following settings
# Standard Un*x authentication.
# #include common-auth
# for 2FA auth
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
Commenting out auth required pam_google_authenticator.so nullok in /etc/pam.d/sshd removes the duplicate challenge.
Running google_authenticator adds the pam module to /etc/pam.d/common-session making it unnecessary to add it to ssh also.
So I've been reading up on configuring a CentOS 7 machine for 2 factor authentication for SSH, using pam_oath and the FreeOTP phone app, plus local usernames/password for the two factors. I've read various online articles, and all seem to follow the basic instructions listed in the following articles:
https://wiki.archlinux.org/index.php/Pam_oath
https://jonarcher.info/2015/07/hardening-ssh-with-otp-for-2-factor-authentication/
https://www.brianlane.com/post/setup-oath-ssh-login-on-fedora/
Before I do this on my main CentOS machine, I spun up a VirtualBox VM for testing, and did a minimum CentOS 7 install. I followed the instructions, and I get prompted for "One-time password (OATH)" credentials, but I noticed that I can input any alphanumeric string that's 6 characters or less for the OATH password, and it will then prompt me for my local username/password. And as long as I enter the local password correctly, I'm granted shell access.
Here are the steps I followed after the initial minimal CentOS 7 install (CentOS Linux release 7.7.1908 (Core)):
Install packages
yum update && yum upgrade
yum install epel-release
yum install pam_oath oathtool gen-oath-safe
edit /etc/pam.d/sshd, and added the following line as the first non-commented line:
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
So first few lines of the /etc/pam.d/sshd look like this before:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
And after:
#%PAM-1.0
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
generate keys for my local account:
gen-oath-safe jdoe hotp
Add key to FreeOTP app on phone via QR code
Add the hex code to /etc/liboath/users.oath:
HOTP jdoe - REDACTED
edit the /etc/ssh/sshd_config file and make sure the following settings are in place:
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
set SELinux permissions on /etc/liboath:
semanage fcontext -a -t systemd_passwd_var_run_t '/etc/liboath(/.*)?'
restorecon -rv /etc/liboath/
Restart SSH:
systemctl restart sshd
So when I SSH into this host, and enter any string 6 characters or less, I'm let through to login with the local password:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
Password:
End of keyboard-interactive prompts from server
Last login: Sun Mar 22 18:03:08 2020 from REDACTED
[jdoe#pkcentos7 ~]
If I enter a string 7 characters or more for the OATH password, the following occurs:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
I've looked through various other articles returned from Google searches, and I don't clearly see a step or setting I'm missing.
Any help on this would be greatly appreciated. Thanks in advance, and if any additional information is needed, please let me know.
Paul
Change pam module control from sufficient to [success=done new_authtok_reqd=done default=die]
My pam line looks like:
auth [success=done new_authtok_reqd=done default=die] pam_oath.so usersfile=/etc/users.oath
sshd_config:
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive:pam
UsePAM yes
ChallengeResponseAuthentication yes
Thanks for the reply! From looking at your sshd_config file, I assume that you're using a public key as part of the 2FA on your system. So I tweaked what you have above to work on my test system:
1) /etc/pam.d/sshd
auth [success=ok new_authtok_reqd=ok default=die] pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
2) /etc/sshd/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods keyboard-interactive:pam
Here's what the output from the SSH login process after this change, where I:
1) purposely entered one-time password wrong
2) entered correct one-time, but wrong account password
3) correct one-time password, then correct account password
login as: jdoe
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Last failed login: Thu Apr 16 10:55:39 EDT 2020 from REDACTED on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Apr 16 10:54:59 2020 from REDACTED
[jdoe#pkcentos7 ~]$
this is what I need to realize:
keybased passwordless authentication for user root
passwordbased authentication for any other user than root
Server I need to have access to is running Debian 9 (stretch).
On my client I have I have created a keypair like this: ssh-keygen
This created the following files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.
Now I copied the content of ~/.ssh/id_rsa.pub into /root/.ssh/authorized_keys on the server and modified the keyfile with permission 600.
Then I modified the /etc/ssh/sshd_config on server by setting the following values:
PermitRootLogin without-password
PubkeyAuthentication yes
Now I restarted ssh service on server and tried the connection by ssh root#sub.domain.tld.
It still ends in password prompt for user root.
The outcome of ssh -vvv root#sub.domain.tld you can find here (Ubuntu Pastebin).
What did I miss to modify?
Kind regards
//neph
You should follow this tutorial, there's a lot of outdated ones. It worked for me on Ubuntu 19.04.
All you have to do is:
apt-get install libpam-google-authenticator.
Users who want to continue using ssh must each run the command google-authenticator. This tool interatively helps you to create the file ~/.google_authenticator, which contains a shared secret and emergency passcodes. It's a terminal application, but it does still display a QR code for quick loading of the shared secret into your two factor device (in my case, this is the Google Authenticator app on my Android smartphone).
Edit /etc/ssh/sshd_config. Set:
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
In case you have changed them in the past, you should also check the following two settings (these are both defaults on Ubuntu):
UsePAM yes
PubkeyAuthentication yes
Run sudo service ssh reload to pick up your changes to /etc/ssh/sshd_config.
Edit /etc/pam.d/sshd and replace the line:
#include common-auth
with:
auth required pam_google_authenticator.so
That's it! Now ssh logins will require a key, and after your key is verified will additionally require proof that you hold your second factor device.
I'm trying to create an authentication process to a Amazon EC2 Ubuntu instance that will require the usage a key-pair generated by Amazon AND using Google-Authenticator. Ergo I want to login to the instance with my pem file and then be prompted with the verification code prompt.
Verification code:
I've managed to login to my server using my pem file. I have also managed to install Google-Authenticator successfully and use it to login with a separate user (not ubuntu) that I've created and given a specific password.
On my /etc/ssh/sshd_config I have:
ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes
AuthenticationMethods keyboard-interactive
and on my /etc/pam.d/sshd:
#include common-auth
auth required pam_google_authenticator.so
If I add publickey to AuthenticationMethods then on login I'm prompted for a password instead of using the pem file I'm providing in:
ssh -i my-key.pem ubuntu#*.*.*.*
How can I get OpenSSH to authenticate via pem file --> google-authenticator?
Thanks!
My solution was to be checked by a pem file, a password and a verification OTP. For this I had:
In: /etc/pam.d/sshd/:
#include common-auth
auth required pam_sepermit.so
auth required pam_google_authenticator.so
In: /etc/ssh/sshd_config/:
AuthenticationMethods publickey,keyboard-interactive
The rest of the configs are as described above. Notice publickey comes before keyboard-interactive in AuthenticationMethods, otherwise the verification code comes first and then the pem file checking.
I'm trying to configure my SSH server to require users to have an RSA key. To do this I have the settings in sshd_config set to
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
and
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
and
UsePAM no
Then I do sudo /etc/init.d/ssh restart to restart the server.
This seems to work to some degree, because I included my macs rsa_key and it lets me log in without asking for a password. However when I try to ssh in through a computer that I haven't included the key of, it just prompts me for my password, and then when entered, lets me in.
What am I doing wrong?
I'd say you're not reloading your ssh config correctly. Which Linux distribution/version are you using (assuming you're even using Linux)?
In Ubuntu I usually do:
sudo restart ssh
OR
sudo service ssh restart
Additionally, though not germane to this question - ideally root should not have a password - you should use be using sudo.
I think you also need
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin without-password
otherwise even if sshd does not ask itself for a password, it will trust PAM and login which will authenticate the user with its password.
While testing, make sure to have another way in in case a problem occurs with SSH...
And make sure you restart your server with /etc/init.d/sshd restart.