You are not logged in.
- Topics: Active | Unanswered
#1 2024-10-22 09:21:28
- yallu
- Member
- Registered: 2020-02-14
- Posts: 13
[SOLVED] sshd with public key auth and 2FA?
I'm trying to make sshd to only accept public key auth with 2FA (google) required in addition. Public key works but I just won't get any 2FA challenge. Any ideas? Here's what I've done so far:
$ sudo pacman -S libpam-google-authenticator
$ google-authenticator
Authenticator setup worked ok with my phone.
$ sudo nano /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth required pam_google_authenticator.so
#auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
$ sudo nano /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
AllowGroups mygroup
AllowUsers myname
AuthenticationMethods publickey
KbdInteractiveAuthentication yes
MaxAuthTries 6
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/lib/ssh/sftp-server
$ sudo systemctl restart sshd
Docs seem to suggest adding keyboard-interactive:pam into AuthenticationMethods but journal says it's not supported:
$ sudo journalctl -xeu sshd.service
Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive:pam"
AuthenticationMethods cannot be satisfied by enabled authentication methods
Last edited by yallu (2024-11-04 07:10:24)
Offline
#2 2024-10-22 12:10:45
- -thc
- Member
- Registered: 2017-03-15
- Posts: 739
Re: [SOLVED] sshd with public key auth and 2FA?
The AM line should look like this:
AuthenticationMethods publickey,keyboard-interactiveI'm not an expert on PAM but replacing the elaborate recursive "system-remote-login" with two simple "auth" lines seems harsh.
Have you tried just to add "auth required pam_google_authenticator.so" after the default "auth" line?
Offline
#3 2024-10-22 14:04:32
- yallu
- Member
- Registered: 2020-02-14
- Posts: 13
Re: [SOLVED] sshd with public key auth and 2FA?
This:
AuthenticationMethods publickey,keyboard-interactive
With:
auth include system-remote-login
auth required pam_google_authenticator.so
account include system-remote-login
password include system-remote-login
session include system-remote-login
Did not work, log says:
Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive"
AuthenticationMethods cannot be satisfied by enabled authentication methods
I've been trying to follow https://wiki.archlinux.org/title/OpenSSH#Protection but I haven't been able to make either keyboard-interactive or keyboard-interactive:pam to work.
Offline
#4 2024-10-22 14:29:25
- -thc
- Member
- Registered: 2017-03-15
- Posts: 739
Re: [SOLVED] sshd with public key auth and 2FA?
There is a snag under Arch: In "/etc/ssh/sshd_config.d" is a file "99-archlinux.conf" which disables "KbdInteractiveAuthentication".
Offline
#5 2024-10-23 07:19:53
- yallu
- Member
- Registered: 2020-02-14
- Posts: 13
Re: [SOLVED] sshd with public key auth and 2FA?
Aaah... I missed the order of precedence... Thought that my configs after the Include in main config file would overwrite whatever was in sshd_config.d. But it's the other way around.
This works now:
/etc/ssh/sshd_config.d/99-archlinux-myconfig.conf:
AllowGroups mygroup
AllowUsers myname
AuthenticationMethods publickey,keyboard-interactive:pam
KbdInteractiveAuthentication yes
MaxAuthTries 6
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
UsePAM yes
/etc/pam.d/sshd:
#%PAM-1.0
#auth required pam_securetty.so
auth required pam_google_authenticator.so
#auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
I had to comment out "auth include system-remote-login" to stay in public key auth with no password only (otherwise also password was prompted).
Thank you for the help.
Offline