Robert Pendell
2014-Dec-18 07:35 UTC
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
On Thu, Dec 18, 2014 at 2:01 AM, Damien Miller <...> wrote:> On Wed, 17 Dec 2014, Dmt Ops wrote: > >> vi /etc/ssh/sshd_config >> ... >> - ChallengeResponseAuthentication no >> + ChallengeResponseAuthentication yes >> + KbdInteractiveAuthentication yes >> ... >> >> and restart the daemon > > You've missed the crucial part to require multiple authentication > methods succeed before the user is considered authenticated: > > AuthenticationMethods publickey,keyboard-interactive >Ahh... I wasn't even aware of that option. Robert Pendell shinji at elite-systems.org A perfect world is one of chaos.
Dmt Ops
2014-Dec-19 14:04 UTC
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
>> AuthenticationMethods publickey,keyboard-interactive > I wasn't even aware of that option.Neither was I. I had PreferredAuthentications publickey,keyboard-interactive in ssh_config ... and thought that that, plus ChallengeResponseAuthentication yes in sshd_config was sufficient. Adding ChallengeResponseAuthentication yes KbdInteractiveAuthentication yes + AuthenticationMethods publickey,keyboard-interactive to sshd_config, now, after sshd restart I can no longer ssh in at all. I simply get Permission denied (keyboard-interactive). Once I get in front of the machine, I'll grab an "sshd -ddd" ...
Dmt Ops
2014-Dec-19 14:39 UTC
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
I added an EXPLICIT AuthenticationMethods publickey,keyboard-interactive + UsePam yes to sshd_config. Now, at connect attempt I get Password: Verification code: Password: Verification code: Password: ... I.e., It's asking for Password, not accepting pubkey AND when given the password (which is correct), and the GA VerificationCode, it simply repeats the credentials request.
Damien Miller
2014-Dec-19 22:05 UTC
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
On Fri, 19 Dec 2014, Dmt Ops wrote:> to sshd_config, now, after sshd restart I can no longer ssh in at all. > > I simply get > > Permission denied (keyboard-interactive). > > Once I get in front of the machine, I'll grab an "sshd -ddd" ...You might need UsePam=yes too if you are using PAM and haven't already turned it on.