So I've been reading up on configuring a CentOS 7 machine for 2 factor authentication for SSH, using pam_oath and the FreeOTP phone app, plus local usernames/password for the two factors. I've read various online articles, and all seem to follow the basic instructions listed in the following articles:
https://wiki.archlinux.org/index.php/Pam_oath
https://jonarcher.info/2015/07/hardening-ssh-with-otp-for-2-factor-authentication/
https://www.brianlane.com/post/setup-oath-ssh-login-on-fedora/
Before I do this on my main CentOS machine, I spun up a VirtualBox VM for testing, and did a minimum CentOS 7 install. I followed the instructions, and I get prompted for "One-time password (OATH)" credentials, but I noticed that I can input any alphanumeric string that's 6 characters or less for the OATH password, and it will then prompt me for my local username/password. And as long as I enter the local password correctly, I'm granted shell access.
Here are the steps I followed after the initial minimal CentOS 7 install (CentOS Linux release 7.7.1908 (Core)):
Install packages
yum update && yum upgrade
yum install epel-release
yum install pam_oath oathtool gen-oath-safe
edit /etc/pam.d/sshd, and added the following line as the first non-commented line:
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
So first few lines of the /etc/pam.d/sshd look like this before:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
And after:
#%PAM-1.0
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
generate keys for my local account:
gen-oath-safe jdoe hotp
Add key to FreeOTP app on phone via QR code
Add the hex code to /etc/liboath/users.oath:
HOTP jdoe - REDACTED
edit the /etc/ssh/sshd_config file and make sure the following settings are in place:
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
set SELinux permissions on /etc/liboath:
semanage fcontext -a -t systemd_passwd_var_run_t '/etc/liboath(/.*)?'
restorecon -rv /etc/liboath/
Restart SSH:
systemctl restart sshd
So when I SSH into this host, and enter any string 6 characters or less, I'm let through to login with the local password:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
Password:
End of keyboard-interactive prompts from server
Last login: Sun Mar 22 18:03:08 2020 from REDACTED
[jdoe#pkcentos7 ~]
If I enter a string 7 characters or more for the OATH password, the following occurs:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
I've looked through various other articles returned from Google searches, and I don't clearly see a step or setting I'm missing.
Any help on this would be greatly appreciated. Thanks in advance, and if any additional information is needed, please let me know.
Paul
Change pam module control from sufficient to [success=done new_authtok_reqd=done default=die]
My pam line looks like:
auth [success=done new_authtok_reqd=done default=die] pam_oath.so usersfile=/etc/users.oath
sshd_config:
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive:pam
UsePAM yes
ChallengeResponseAuthentication yes
Thanks for the reply! From looking at your sshd_config file, I assume that you're using a public key as part of the 2FA on your system. So I tweaked what you have above to work on my test system:
1) /etc/pam.d/sshd
auth [success=ok new_authtok_reqd=ok default=die] pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
2) /etc/sshd/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods keyboard-interactive:pam
Here's what the output from the SSH login process after this change, where I:
1) purposely entered one-time password wrong
2) entered correct one-time, but wrong account password
3) correct one-time password, then correct account password
login as: jdoe
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Last failed login: Thu Apr 16 10:55:39 EDT 2020 from REDACTED on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Apr 16 10:54:59 2020 from REDACTED
[jdoe#pkcentos7 ~]$
Related
I found a bug in sshd. i configured my ssh to use both key and password ( and PAM) . recently i underestood it asks for the password but accept any thing! any idea? why?
this is /etc/ssh/ssd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
PasswordAuthentication yes
KbdInteractiveAuthentication no
PermitRootLogin no
UsePAM yes
Banner /etc/ssh/motd
Subsystem sftp /usr/lib/ssh/sftp-server
AuthenticationMethods publickey,password
StreamLocalBindUnlink yes
Include /etc/ssh/sshd_groups
i expect when it asks for password authorize that and doesn't accept any wrong password. but it accept all kinds of password!
I'm trying to enable 2fA authentification on my lighsail server, running ubuntu 20.04.
I installed google-authenticator and launched it, configured /etc/pam.d/sshd to add the following line :
auth required pam_google_authenticator.so
auth required pam_permit.so
and then /etc/ssh/sshd_config to set :
ChallengeResponseAuthentication yes
But then nothing happens. If I add the line :
AuthenticationMethods publickey,keyboard-interactive
Then the ssh client asks for a password that I don't have (I have a keypair, but no password).
What can I do to enable 2FA ?
I have implemented 2 factor authentication on a remote server using google-authenticator. Login from the web console succeeds after password and single verification code queries. But login from ssh asks for verification code 2 times. Login is successful only if 2 successive totp codes are provided.
I have used ssh -v <user#remotehost> to verify that ssh publickey authentication is successful before the first query for verification code is made.
Config file /etc/ssh/sshd_config has the following settings:
# to restrict root login via ssh
PasswordAuthentication no
PermitRootLogin no
# to enable login via 2FA
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive
Config file /etc/pam.d/sshd has the following settings
# Standard Un*x authentication.
# #include common-auth
# for 2FA auth
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
Commenting out auth required pam_google_authenticator.so nullok in /etc/pam.d/sshd removes the duplicate challenge.
Running google_authenticator adds the pam module to /etc/pam.d/common-session making it unnecessary to add it to ssh also.
this is what I need to realize:
keybased passwordless authentication for user root
passwordbased authentication for any other user than root
Server I need to have access to is running Debian 9 (stretch).
On my client I have I have created a keypair like this: ssh-keygen
This created the following files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.
Now I copied the content of ~/.ssh/id_rsa.pub into /root/.ssh/authorized_keys on the server and modified the keyfile with permission 600.
Then I modified the /etc/ssh/sshd_config on server by setting the following values:
PermitRootLogin without-password
PubkeyAuthentication yes
Now I restarted ssh service on server and tried the connection by ssh root#sub.domain.tld.
It still ends in password prompt for user root.
The outcome of ssh -vvv root#sub.domain.tld you can find here (Ubuntu Pastebin).
What did I miss to modify?
Kind regards
//neph
You should follow this tutorial, there's a lot of outdated ones. It worked for me on Ubuntu 19.04.
All you have to do is:
apt-get install libpam-google-authenticator.
Users who want to continue using ssh must each run the command google-authenticator. This tool interatively helps you to create the file ~/.google_authenticator, which contains a shared secret and emergency passcodes. It's a terminal application, but it does still display a QR code for quick loading of the shared secret into your two factor device (in my case, this is the Google Authenticator app on my Android smartphone).
Edit /etc/ssh/sshd_config. Set:
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
In case you have changed them in the past, you should also check the following two settings (these are both defaults on Ubuntu):
UsePAM yes
PubkeyAuthentication yes
Run sudo service ssh reload to pick up your changes to /etc/ssh/sshd_config.
Edit /etc/pam.d/sshd and replace the line:
#include common-auth
with:
auth required pam_google_authenticator.so
That's it! Now ssh logins will require a key, and after your key is verified will additionally require proof that you hold your second factor device.
I have an Ubuntu server with two users: user1 and user2. I have generated a SSH key locally and copied the public part to both users' authorized_keys file. I am able to login as both users:
srimanth#local:~$ ssh user1#server
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.16.0-31-generic x86_64)
...
Last login: Fri Mar 20 04:11:08 2015 from A.B.C.D
user1#server:~$
srimanth#local:~$ ssh user2#server
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.16.0-31-generic x86_64)
...
Last login: Thu Mar 19 22:45:26 2015 from A.B.C.D
user2#server:~$
But, if I don't mention the username authentication fails:
srimanth#local:~$ ssh -v server
...
debug1: Connection established.
debug1: identity file /home/srimanth/.ssh/id_rsa type -1
...
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: srimanth#local
debug1: Trying private key: /home/srimanth/.ssh/id_rsa
...
debug1: No more authentication methods to try.
Permission denied (publickey).
Please help me how do I solve this issue.
SSH is trying to login with srimanth username and since it doesn't exist on remote machine it fails. You must provide a remote valid username, or you will not be able to log into the remote machine.
As you had generated key and added it to authorized_keys file for both users, when you login with any of them, ssh is able to authenticate you using your private key.
If you don't want to specify username on the login, you have two options (it will still use the username to login but you can avoid specifying it on the command):
Add srimanth user to the remote server and add the public key to its authorized_keys file, so that from your machine when you are logged in as srimanth, and try to SSH, it uses the same username and lets you login to the remote machine.
Add an entry to your SSH config to use specific username when you are connecting to a particular host:
Host dev
HostName SERVER
Port 22
User DEFAULTUSER
If you don't specify the login username, ssh will try to log into the instance with your current user name: In your case, and by looking at your question, this would be srimanth.
For this to work, srimanth user account must exists first on the server, or a default userlogin for the instance in srimanth user SSH configuration file must be defined as describe in this answer from Learath2 to this question.
See Adding and Deleting Users to create an user account in an Ubuntu server.