thr3ads.net - openssh unix dev - pam_duo 2FA && ssh-key access [Jan 2021]

If this information is useful, please help other people find it:
Share via:

Mauricio Tavares

2021-Jan-26 20:17 UTC

pam_duo 2FA && ssh-key access

On Tue, Jan 26, 2021 at 2:52 PM Brian Candler <b.candler at pobox.com>
wrote:>
> On 26/01/2021 19:04, Avila, Geoffrey wrote:
> > We have an ssh login host we've protected with Duo's 2FA pam
module. We're
> > allowing both password auth and ssh-keys. Problem is, those users with
a
> > valid ssh key are instantly allowed to log in-the pam stack for the
duo .so
> > module never gets called, and the users are never prompted for 2FA.
> > Is there a way to compel the execution of PAM modules before OpenSSH
> > completes the login process for the user?
>
> I use the following (with Yubikey PAM module for 2FA):
>
> # Policy for authentication: require both pubkey *and* PAM
> AuthenticationMethods publickey,keyboard-interactive:pam
>      I've always thought the comma meant "if this does not work, try
this next"
> # From local and VPN addresses, 2FA not required
> Match Address 192.168.0.0/16,10.0.0.0/8
> AuthenticationMethods publickey
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Brian Candler

2021-Jan-26 20:32 UTC

head link

pam_duo 2FA && ssh-key access

On 26/01/2021 20:17, Mauricio Tavares wrote:>        I've always thought the comma meant "if this does not work,
try this next"
Nope. From sshd_config(5):

 ???? AuthenticationMethods
 ???????????? Specifies the authentication methods that must be 
successfully completed for a user to be
 ???????????? granted access.? This option must be followed by one or 
more comma-separated lists of authen?
 ???????????? tication method names, or by the single string any to 
indicate the default behaviour of
 ???????????? accepting any single authentication method.? If the 
default is overridden, then *successful**
**???????????? authentication requires completion of every method in at 
least one of these lists*.

 ???????????? For example, "publickey,password 
publickey,keyboard-interactive" would require the user to
 ???????????? complete public key authentication, followed by either 
password or keyboard interactive
 ???????????? authentication.? Only methods that are next in one or more 
lists are offered at each stage,
 ???????????? so for this example it would not be possible to attempt 
password or keyboard-interactive
 ???????????? authentication before public key.

 ???????????? For keyboard interactive authentication it is also 
possible to restrict authentication to a
 ???????????? specific device by appending a colon followed by the 
device identifier bsdauth, pam, or skey,
 ???????????? depending on the server configuration.? For example, 
"keyboard-interactive:bsdauth" would
 ???????????? restrict keyboard interactive authentication to the 
bsdauth device.

openssh unix dev - Jan 2021 - pam_duo 2FA && ssh-key access

pam_duo 2FA && ssh-key access

pam_duo 2FA && ssh-key access