You are not logged in.
I'm adding Google authenticator to my SSH server for 2FA. I previously had this working properly on Manjaro, but on Arch I'm encountering the following issue:
I followed the Arch Wiki's Google authenticator instructions, but whenever I edit the end of /etc/ssh/sshd_config to look like this:
KbdInteractiveAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pamMy attempt at an SSH connection is instantly refused. I've also tried it without the first line, without :pam at the end of the second, and both (the same as my Manjaro configuration). If I revert to only publickey as an authentication method I can connect to the SSH server without an issue. Has anyone else encountered a similar issue?
Last edited by insignian (2022-02-23 03:28:58)
Offline
I'm adding Google authenticator to my SSH server for 2FA. I previously had this working properly on Manjaro, but on Arch I'm encountering the following issue:
I followed the Arch Wiki's Google authenticator instructions, but whenever I edit the end of /etc/ssh/sshd_config to look like this:
KbdInteractiveAuthentication yes AuthenticationMethods publickey,keyboard-interactive:pamMy attempt at an SSH connection is instantly refused. I've also tried it without the first line, without :pam at the end of the second, and both (the same as my Manjaro configuration). If I revert to only publickey as an authentication method I can connect to the SSH server without an issue. Has anyone else encountered a similar issue?
Have you added the Google Authenticator PAM module to your /etc/pam.d configuration? I'm not sure exactly where that would go, but it sounds like you've broken keyboard interactive logins somehow with a bad PAM configuration. You should be able to check the sshd journal (journalctl -fu sshd.service) and watch it as you try to log in with your keyboard. You can also use ssh -vvv <user>@<host> to see if sshd gives your client any clues.
You may also want to make the subject of this topic more descriptive.
Last edited by ectospasm (2022-02-23 02:39:13)
Offline
The configuration is okay, I was able to get it working thankfully by adding
ChallengeResponseAuthentication yes to /etc/ssh/sshd_config. The issue now is that Google authenticator was generating a bad QR/secret key that generates the wrong OTP when I try to confirm it in the google-authenticator setup script. I skipped that by entering -1 and then tried adding a custom one to the ~/.google_authenticator but that isn't working either. The connection isn't instantly refused now but I don't have a working OTP for the 2FA. So close!
I'll update the title as well.
Last edited by insignian (2022-02-23 02:49:22)
Offline
This may be a bug with the libpam-google-authenticator package which would be out of scope of this post. Maybe if someone else could see if it works for them. I can scan the QR code and add it to my authenticator app, but when I confirm the OTP in the script it says it's wrong.
That or it is out of sync somehow, but my timezone is correct so I'm not sure.
Last edited by insignian (2022-02-23 02:56:59)
Offline
So I tried building the package from github and I have the same issue. Is there any time settings in Arch that could affect the generation of the one time codes?
edit: Timezones was the issue!
Last edited by insignian (2022-02-23 03:28:40)
Offline