I would like to login ssh without password and key.
I have some specific settings on the sshd_config,
PasswordAuthentication yes
PermitEmptyPasswords yes
AllowUsers admin
AuthenticationMethods password
KbdInteractiveAuthentication no
But I was still asked for password. Is there a method to do that?
you need to allow anonymous or guest login and make the password empty.
here is a topic that can answer your question.
Related
I found a bug in sshd. i configured my ssh to use both key and password ( and PAM) . recently i underestood it asks for the password but accept any thing! any idea? why?
this is /etc/ssh/ssd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
PasswordAuthentication yes
KbdInteractiveAuthentication no
PermitRootLogin no
UsePAM yes
Banner /etc/ssh/motd
Subsystem sftp /usr/lib/ssh/sftp-server
AuthenticationMethods publickey,password
StreamLocalBindUnlink yes
Include /etc/ssh/sshd_groups
i expect when it asks for password authorize that and doesn't accept any wrong password. but it accept all kinds of password!
So I've been reading up on configuring a CentOS 7 machine for 2 factor authentication for SSH, using pam_oath and the FreeOTP phone app, plus local usernames/password for the two factors. I've read various online articles, and all seem to follow the basic instructions listed in the following articles:
https://wiki.archlinux.org/index.php/Pam_oath
https://jonarcher.info/2015/07/hardening-ssh-with-otp-for-2-factor-authentication/
https://www.brianlane.com/post/setup-oath-ssh-login-on-fedora/
Before I do this on my main CentOS machine, I spun up a VirtualBox VM for testing, and did a minimum CentOS 7 install. I followed the instructions, and I get prompted for "One-time password (OATH)" credentials, but I noticed that I can input any alphanumeric string that's 6 characters or less for the OATH password, and it will then prompt me for my local username/password. And as long as I enter the local password correctly, I'm granted shell access.
Here are the steps I followed after the initial minimal CentOS 7 install (CentOS Linux release 7.7.1908 (Core)):
Install packages
yum update && yum upgrade
yum install epel-release
yum install pam_oath oathtool gen-oath-safe
edit /etc/pam.d/sshd, and added the following line as the first non-commented line:
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
So first few lines of the /etc/pam.d/sshd look like this before:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
And after:
#%PAM-1.0
auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
generate keys for my local account:
gen-oath-safe jdoe hotp
Add key to FreeOTP app on phone via QR code
Add the hex code to /etc/liboath/users.oath:
HOTP jdoe - REDACTED
edit the /etc/ssh/sshd_config file and make sure the following settings are in place:
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
set SELinux permissions on /etc/liboath:
semanage fcontext -a -t systemd_passwd_var_run_t '/etc/liboath(/.*)?'
restorecon -rv /etc/liboath/
Restart SSH:
systemctl restart sshd
So when I SSH into this host, and enter any string 6 characters or less, I'm let through to login with the local password:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
Password:
End of keyboard-interactive prompts from server
Last login: Sun Mar 22 18:03:08 2020 from REDACTED
[jdoe#pkcentos7 ~]
If I enter a string 7 characters or more for the OATH password, the following occurs:
login as: jdoe
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
One-time password (OATH) for `jdoe':
I've looked through various other articles returned from Google searches, and I don't clearly see a step or setting I'm missing.
Any help on this would be greatly appreciated. Thanks in advance, and if any additional information is needed, please let me know.
Paul
Change pam module control from sufficient to [success=done new_authtok_reqd=done default=die]
My pam line looks like:
auth [success=done new_authtok_reqd=done default=die] pam_oath.so usersfile=/etc/users.oath
sshd_config:
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive:pam
UsePAM yes
ChallengeResponseAuthentication yes
Thanks for the reply! From looking at your sshd_config file, I assume that you're using a public key as part of the 2FA on your system. So I tweaked what you have above to work on my test system:
1) /etc/pam.d/sshd
auth [success=ok new_authtok_reqd=ok default=die] pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6
2) /etc/sshd/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods keyboard-interactive:pam
Here's what the output from the SSH login process after this change, where I:
1) purposely entered one-time password wrong
2) entered correct one-time, but wrong account password
3) correct one-time password, then correct account password
login as: jdoe
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| One-time password (OATH) for `jdoe':
| Password:
End of keyboard-interactive prompts from server
Last failed login: Thu Apr 16 10:55:39 EDT 2020 from REDACTED on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Apr 16 10:54:59 2020 from REDACTED
[jdoe#pkcentos7 ~]$
I would like to enable 2 factor auth using google-authenticator when I SSH as root. Is it possible to set it up only for root but not for other non- root users? Or is it once setup, all users must have 2 factor. I am using Ubuntu 16.04.
Thanks
Once you have 2 factor setup for SSH on Ubuntu it will be required for all users who are using "password authentication", but as Key-Based Authentication takes priority (happens before password authentication) you can set that up for users who you do not want 2 factor for.
Then you can go ahead and simply specified that key-based authetication only be disabled for all users with the following in the sshd_config file:
PubkeyAuthentication no
And only enabled for specific users via
Match User <username>
PubkeyAuthentication yes
As an added security tip you can allow only spesific users with
AllowUsers <username> <username2>
I have a DigitalOcean droplet that doesn't have my ssh public key on it. I do know the root password, so I want to login using that and add my ssh key. How can I achieve this? Everytime I try to login using ssh root#xxx.xxx.xx.xx it tells me Permission denied (publickey). But then it doesn't prompt me for the root password. What am I doing wrong here?
I'm not sure if it's an option with DigitalOcean, but you need to enable the "PermitRootLogin" option in the server's sshd config (normally /etc/ssh/sshd_config ) if you really want to log in as root this way.
I connect to a host via SSH with a passphrase. When i am in that host I want to install a few packages for which I have to switch to 'root'. While doing so, it asks for 'Password' and obviously my passphrase doesn't work here. This host is setup only for SSH access. How to get the password details?
You can't switch to the root-user with your own password for obvious reasons. Either you are allowed to sudo su root (which may ask for YOUR password) or you do su root (which asks for root's password)