Multi Factor Authentication with SSH: Difference between revisions
		
		
		
		Jump to navigation
		Jump to search
		
| (7 intermediate revisions by the same user not shown) | |||
| Line 29: | Line 29: | ||
|   UsePAM yes |   UsePAM yes | ||
|   '''AuthenticationMethods publickey,keyboard-interactive''' |   '''AuthenticationMethods publickey,keyboard-interactive''' | ||
| NOTE that this setup will allow users to login using public keys but MFA will still apply. <br> | |||
| Users without a public key cannot login | |||
| =Setup the MFA client= | |||
| *Run google-authenticator | |||
| '''Attention:''' When you became root using sudo the watch then consider the path vs user home path.<BR> | |||
| because the authenticator writes it's config in /root while /home/userxyz is ommited. If then copy<BR> | |||
| the configuration in your home dir after the setup. | |||
| *Sample: | |||
|  Do you want me to update your "'''/root/.google_authenticator'''" file? (y/n) | |||
| *Sample configuration, home/user/.google_authenticator | |||
|  P4GNO3WIQR4G7BWUB5QLCGMFWY | |||
|  " WINDOW_SIZE 17 | |||
|  " TOTP_AUTH | |||
|  55363119 | |||
|  33447175 | |||
|  54957279 | |||
|  34932150 | |||
|  44659216 | |||
| =SSH Client configuration for jump hosts= | |||
| *~/.ssh/config | |||
|  Host target-server | |||
|   Hostname IP-OF-TARGET | |||
|   User username (optional) | |||
|   ProxyJump username@EXTERNAL-IP-OF-JUMP-SERVER | |||
|   IdentityFile ~/.ssh/id_rsa | |||
| =Alternative methods= | |||
| * auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok | |||
| * auth sufficient pam_google_authenticator.so | |||
| =Reference= | |||
| *https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages<br> | |||
| *https://serverfault.com/questions/629883/trying-to-get-ssh-with-public-key-no-password-google-authenticator-working-o<br> | |||
| *https://www.techrepublic.com/article/how-to-combine-ssh-key-authentication-and-two-factor-authentication-on-linux/<br> | |||
Latest revision as of 12:20, 23 December 2020
This is howto setup MFA using the Google Authenticator.
Installation
- Only one package is required to install:
apt install libpam-google-authenticator
Default Setup
- Configuration /etc/pam.d/sshd
Put the following sting underneath of @include common-auth
auth required pam_google_authenticator.so
- Configuration /etc/ssh/sshd_config
LogLevel DEBUG3 PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes
NOTE that this setup will allow users to bypass the MFA setup when using public keys
Enforce MFA together with public keys
- Configuration /etc/pam.d/sshd, comment @include common-auth
#@include common-auth auth required pam_google_authenticator.so
- Configuration /etc/ssh/sshd_config
LogLevel DEBUG3 PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive
NOTE that this setup will allow users to login using public keys but MFA will still apply. 
Users without a public key cannot login
Setup the MFA client
- Run google-authenticator
Attention: When you became root using sudo the watch then consider the path vs user home path.
because the authenticator writes it's config in /root while /home/userxyz is ommited. If then copy
the configuration in your home dir after the setup.
- Sample:
Do you want me to update your "/root/.google_authenticator" file? (y/n)
- Sample configuration, home/user/.google_authenticator
P4GNO3WIQR4G7BWUB5QLCGMFWY " WINDOW_SIZE 17 " TOTP_AUTH 55363119 33447175 54957279 34932150 44659216
SSH Client configuration for jump hosts
- ~/.ssh/config
Host target-server Hostname IP-OF-TARGET User username (optional) ProxyJump username@EXTERNAL-IP-OF-JUMP-SERVER IdentityFile ~/.ssh/id_rsa
Alternative methods
- auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok
- auth sufficient pam_google_authenticator.so
Reference
- https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages
- https://serverfault.com/questions/629883/trying-to-get-ssh-with-public-key-no-password-google-authenticator-working-o
- https://www.techrepublic.com/article/how-to-combine-ssh-key-authentication-and-two-factor-authentication-on-linux/