![]() ![]() Having gotten this working as above, I think it's actually nicer to enforce 2FA for certain groups using the SSH config as suggested. This is discussed at Google Authenticator PAM on SSH blocks root login without 2FA. This still doesn't let root login with an ssh key sshd logs sshd: fatal: Internal error: PAM auth succeeded when it should have failed Then you need pam_permit to make authentication successful for users without authenticator (for which pam_google_authenticator returns ignore rather than pass). # Require authenticator, if not configured then allowĪuth required comon-auth must be disabled because it includes pam_unix, which I don't want to use. In /etc/pam.d/sshd, # Standard Un*x common-auth Some users have authenticator enabled and some don't, and only SSH logins with public keys are permitted, never passwords. I've also tried various combinations of auth required and auth sufficient before and after common-auth but they all result in users without authenticator being asked for a password and sometimes users WITH authenticator also being asked for a password.ĭoes anyone have a recipe to make this work? Is pam_permit is needed to set up the fallback case? In this case, users without an authenticator setup get rejected with the following debug Aug 05 15:11:18 sshd(pam_google_authenticator): debug: start of google_authenticator for ""Īug 05 15:11:18 sshd(pam_google_authenticator): debug: end of google_authenticator for "" Result: The return value should be ignored by PAM dispatchĪug 05 15:11:18 sshd: error: PAM: Permission denied for from In /etc/pam.d/sshd I've tried (like this Trying to get SSH with public key (no password) + google authenticator working on Ubuntu 14.04.1): common-authĪuth required pam_google_authenticator.so debug nullok Depending on what I use, users are either prompted for a password (they don't have one), or not allowed in at all. google_authenticator file are still logged in. I haven't been able to work out the correct PAM config so that users without a. ![]() I've install libpam-google-authenticator and configured /etc/ssh/sshd_config with: PasswordAuthentication noĪuthenticationMethods publickey,keyboard-interactive My problem is that no matter what I put in the PAM config, users without authenticator enabled are never logged straight in, but always asked for a password. I'm running Debian buster, and I've also tried libpam-google-authenticator from bullseye. Everybody uses ssh public keys, and nobody has a password. Not all users need authenticator enabled. * This method uses the JCE to provide the crypto algorithm.I'm trying to enable 2FA with ssh using libpam-google-authenticator. * This is an example implementation of the OATH Terms contained in, the Simplified BSD License set forth in SectionĤ.c of the IETF Trust's Legal Provisions Relating to IETF Documents Modification, is permitted pursuant to, and subject to the license Redistribution and use in source and binary forms, with or without **Ĭopyright (c) 2011 IETF Trust and the persons identified asĪuthors of the code. The RFC also includes test vectors to verify implementations. Jumping straight to the code – this is the reference implementation from the RFC. Put it together and we can have reasonable confidence that we’ll have matching clocks on the client and server so TOTP becomes a good option. if you’re able to periodically synchronize them to a PC. Modern cell phones also have the accurate time since they include GPS receivers.įinally dongles with LCD displays can include accurate clocks, esp. I think the major distributions set it up by default but could be mistaken about that. This is a straightforward algorithm that only requires an accurate clock and a shared secret.Īccurate times have been a pain in the past – computers did not include particularly good real time clock chips – but any server should now be using NTP. How do you do it? Time-based One-Time Passwords (TOTP)Īn increasingly popular approach is Time-based One-Time Passwords (TOTP) ( RFC6238). ![]() Let’s say you want to use two-factor authentication on your site. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |