Dmt Ops
2014-Dec-18 01:55 UTC
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
I have sshd server sshd -V ... OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 ... running on linux/64 with cat sshd_config ... PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication no GSSAPICleanupCredentials no HostbasedAuthentication no RhostsRSAAuthentication no RSAAuthentication no UseLogin no PermitEmptyPasswords no UsePrivilegeSeparation yes ... I can ssh in with pubkey auth. I want to ADD a 2nd factor authentication step; specifically Google Authenticator I installed pam-google-authenticator package. At shell, I exec google-authenticator and create the key I edit vi /etc/pam.d/sshd ... + auth required pam_google_authenticator.so ... and vi /etc/ssh/sshd_config ... - ChallengeResponseAuthentication no + ChallengeResponseAuthentication yes + KbdInteractiveAuthentication yes ... and restart the daemon systemctl restart sshd ... Dec 7 14:05:59 server systemd[1]: Stopping OpenSSH Daemon... Dec 7 14:05:59 server sshd[4821]: Received signal 15; terminating. Dec 7 14:05:59 server systemd[1]: Starting OpenSSH Daemon... Dec 7 14:05:59 server systemd[1]: Started OpenSSH Daemon. Dec 7 14:05:59 server sshd[5112]: Server listening on 127.0.0.1 port 22. Dec 7 14:05:59 server sshd[5112]: Server listening on 10.10.16.92 port 22. ... In the client's ssh_config I added ... Host server.DOMAIN.com User root ChallengeResponseAuthentication yes PreferredAuthentications publickey,keyboard-interactive ForwardX11 yes ForwardX11Trusted yes Compression no ... IIUC, now, when I login from the client to the server, I should ALWAYS be prompted for the Google Authenticator code after a successful pubkey auth. But when I ssh in to the machine, I still get only the pubkey auth -- never get asked for the GA code, and I can login. ssh -v -l root server sshr_server -4v OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 89: Applying options for *.DOMAIN.com debug1: /etc/ssh/ssh_config line 147: Applying options for * debug1: Connecting to server.DOMAIN.com [10.10.16.92] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /etc/ssh/ssh.desktop.rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7 debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client chacha20-poly1305 at openssh.com <implicit> none debug1: kex: client->server chacha20-poly1305 at openssh.com <implicit> none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ED25519 2f:... debug1: Host 'server.DOMAIN.com' is known and matches the ED25519 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering RSA public key: /etc/ssh/ssh.desktop.rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: Authentication succeeded (publickey). Authenticated to server.DOMAIN.com ([10.10.16.92]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending env DISPLAY = :0 I'm not sure where to look for WHY this isn't working. How do I get the 2nd-factor step turned on? config change? add'l packages required? etc? Dan
Damien Miller
2014-Dec-18 05:59 UTC
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
On Wed, 17 Dec 2014, Dmt Ops wrote:> But when I ssh in to the machine, I still get only the pubkey auth -- never > get asked for the GA code, and I can login.Could you please post a debug log from the server? /path/to/sshd -ddd should produce one. -d
Robert Pendell
2014-Dec-18 06:25 UTC
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
On Thu, Dec 18, 2014 at 12:59 AM, Damien Miller <...> wrote:> On Wed, 17 Dec 2014, Dmt Ops wrote: > >> But when I ssh in to the machine, I still get only the pubkey auth -- never >> get asked for the GA code, and I can login. > > Could you please post a debug log from the server? > > /path/to/sshd -ddd > > should produce one.Based on what I've seen the reason is because SSH is handling pub-key auth and bypasses PAM for it. Google Authenticator however is done via PAM so it only works for keyboard interactive logins. Now then from what I've seen you can try to do force command instead and use a different 2-factor provider that runs using a system executable but that provides its own headaches.
Damien Miller
2014-Dec-18 07:01 UTC
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
On Wed, 17 Dec 2014, Dmt Ops wrote:> vi /etc/ssh/sshd_config > ... > - ChallengeResponseAuthentication no > + ChallengeResponseAuthentication yes > + KbdInteractiveAuthentication yes > ... > > and restart the daemonYou've missed the crucial part to require multiple authentication methods succeed before the user is considered authenticated: AuthenticationMethods publickey,keyboard-interactive -d
Robert Pendell
2014-Dec-18 07:35 UTC
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
On Thu, Dec 18, 2014 at 2:01 AM, Damien Miller <...> wrote:> On Wed, 17 Dec 2014, Dmt Ops wrote: > >> vi /etc/ssh/sshd_config >> ... >> - ChallengeResponseAuthentication no >> + ChallengeResponseAuthentication yes >> + KbdInteractiveAuthentication yes >> ... >> >> and restart the daemon > > You've missed the crucial part to require multiple authentication > methods succeed before the user is considered authenticated: > > AuthenticationMethods publickey,keyboard-interactive >Ahh... I wasn't even aware of that option. Robert Pendell shinji at elite-systems.org A perfect world is one of chaos.
Possibly Parallel Threads
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- Let PAM know about accepted pubkey?