openssh unix dev - Dec 2014 - chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/

I have sshd server

        sshd -V
                ...
                OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
                ...

running on linux/64

with

        cat sshd_config
                ...
                PubkeyAuthentication                 yes
                PasswordAuthentication               no
                ChallengeResponseAuthentication      no
                GSSAPIAuthentication                 no
                GSSAPICleanupCredentials             no
                HostbasedAuthentication              no
                RhostsRSAAuthentication              no
                RSAAuthentication                    no

                UseLogin                             no
                PermitEmptyPasswords                 no
                UsePrivilegeSeparation               yes
                ...

I can ssh in with pubkey auth.

I want to ADD a 2nd factor authentication step; specifically Google
Authenticator

I installed

        pam-google-authenticator

package.

At shell, I exec

        google-authenticator

and create the key

I edit

        vi /etc/pam.d/sshd
                ...
        +        auth       required       pam_google_authenticator.so
                ...


and

        vi /etc/ssh/sshd_config
                ...
        -        ChallengeResponseAuthentication      no
        +        ChallengeResponseAuthentication      yes
        +        KbdInteractiveAuthentication         yes
                ...

and restart the daemon

        systemctl restart sshd
                ...
                Dec  7 14:05:59 server systemd[1]: Stopping OpenSSH
Daemon...
                Dec  7 14:05:59 server sshd[4821]: Received signal 15;
terminating.
                Dec  7 14:05:59 server systemd[1]: Starting OpenSSH
Daemon...
                Dec  7 14:05:59 server systemd[1]: Started OpenSSH Daemon.
                Dec  7 14:05:59 server sshd[5112]: Server listening on
127.0.0.1 port 22.
                Dec  7 14:05:59 server sshd[5112]: Server listening on
10.10.16.92 port 22.
                ...

In the client's ssh_config I added

        ...
        Host server.DOMAIN.com
        User                               root
        ChallengeResponseAuthentication    yes
        PreferredAuthentications           publickey,keyboard-interactive
        ForwardX11                         yes
        ForwardX11Trusted                  yes
        Compression                        no
        ...


IIUC, now, when I login from the client to the server, I should ALWAYS be
prompted for the Google Authenticator code after a successful pubkey auth.

But when I ssh in to the machine, I still get only the pubkey auth -- never
get asked for the GA code, and I can login.


        ssh -v -l root server

                sshr_server -4v
                OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
                debug1: Reading configuration data /etc/ssh/ssh_config
                debug1: /etc/ssh/ssh_config line 89: Applying options for
*.DOMAIN.com
                debug1: /etc/ssh/ssh_config line 147: Applying options for
*
                debug1: Connecting to server.DOMAIN.com [10.10.16.92] port
22.
                debug1: fd 3 clearing O_NONBLOCK
                debug1: Connection established.
                debug1: identity file /etc/ssh/ssh.desktop.rsa-cert type -1
                debug1: Enabling compatibility mode for protocol 2.0
                debug1: Local version string SSH-2.0-OpenSSH_6.7
                debug1: Remote protocol version 2.0, remote software
version OpenSSH_6.7
                debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
                debug1: SSH2_MSG_KEXINIT sent
                debug1: SSH2_MSG_KEXINIT received
                debug1: kex: server->client chacha20-poly1305 at openssh.com
<implicit> none
                debug1: kex: client->server chacha20-poly1305 at openssh.com
<implicit> none
                debug1: sending SSH2_MSG_KEX_ECDH_INIT
                debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
                debug1: Server host key: ED25519 2f:...
                debug1: Host 'server.DOMAIN.com' is known and matches
the
ED25519 host key.
                debug1: Found key in /etc/ssh/ssh_known_hosts:1
                debug1: SSH2_MSG_NEWKEYS sent
                debug1: expecting SSH2_MSG_NEWKEYS
                debug1: SSH2_MSG_NEWKEYS received
                debug1: SSH2_MSG_SERVICE_REQUEST sent
                debug1: SSH2_MSG_SERVICE_ACCEPT received
                debug1: Authentications that can continue:
publickey,keyboard-interactive
                debug1: Next authentication method: publickey
                debug1: Offering RSA public key: /etc/ssh/ssh.desktop.rsa
                debug1: Server accepts key: pkalg ssh-rsa blen 279
                debug1: Authentication succeeded (publickey).
                Authenticated to server.DOMAIN.com ([10.10.16.92]:22).
                debug1: channel 0: new [client-session]
                debug1: Requesting no-more-sessions at openssh.com
                debug1: Entering interactive session.
                debug1: Requesting X11 forwarding with authentication
spoofing.
                debug1: Sending environment.
                debug1: Sending env LANG = en_US.UTF-8
                debug1: Sending env DISPLAY = :0

I'm not sure where to look for WHY this isn't working.

How do I get the 2nd-factor step turned on?  config change? add'l packages
required?  etc?

Dan

On Wed, 17 Dec 2014, Dmt Ops wrote:
> But when I ssh in to the machine, I still get only the pubkey auth -- never
> get asked for the GA code, and I can login.
Could you please post a debug log from the server?

/path/to/sshd -ddd

should produce one.

-d

On Thu, Dec 18, 2014 at 12:59 AM, Damien Miller <...>
wrote:
> On Wed, 17 Dec 2014, Dmt Ops wrote:
>
>> But when I ssh in to the machine, I still get only the pubkey auth --
never
>> get asked for the GA code, and I can login.
>
> Could you please post a debug log from the server?
>
> /path/to/sshd -ddd
>
> should produce one.
Based on what I've seen the reason is because SSH is handling pub-key
auth and bypasses PAM for it.  Google Authenticator however is done
via PAM so it only works for keyboard interactive logins.
Now then from what I've seen you can try to do force command instead
and use a different 2-factor provider that runs using a system
executable but that provides its own headaches.

On Wed, 17 Dec 2014, Dmt Ops wrote:
>         vi /etc/ssh/sshd_config
>                 ...
>         -        ChallengeResponseAuthentication      no
>         +        ChallengeResponseAuthentication      yes
>         +        KbdInteractiveAuthentication         yes
>                 ...
> 
> and restart the daemon
You've missed the crucial part to require multiple authentication
methods succeed before the user is considered authenticated:

AuthenticationMethods publickey,keyboard-interactive

-d

On Thu, Dec 18, 2014 at 2:01 AM, Damien Miller <...>
wrote:
> On Wed, 17 Dec 2014, Dmt Ops wrote:
>
>>         vi /etc/ssh/sshd_config
>>                 ...
>>         -        ChallengeResponseAuthentication      no
>>         +        ChallengeResponseAuthentication      yes
>>         +        KbdInteractiveAuthentication         yes
>>                 ...
>>
>> and restart the daemon
>
> You've missed the crucial part to require multiple authentication
> methods succeed before the user is considered authenticated:
>
> AuthenticationMethods publickey,keyboard-interactive
>
Ahh... I wasn't even aware of that option.

Robert Pendell
shinji at elite-systems.org
A perfect world is one of chaos.