Multi Factor Authentication with SSH

From Coolscript
Jump to navigation Jump to search

This is howto setup MFA using the Google Authenticator.

Installation

  • Only one package is required to install:
apt install libpam-google-authenticator

Default Setup

  • Configuration /etc/pam.d/sshd

Put the following sting underneath of @include common-auth

auth required pam_google_authenticator.so
  • Configuration /etc/ssh/sshd_config
LogLevel DEBUG3
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

NOTE that this setup will allow users to bypass the MFA setup when using public keys

Enforce MFA together with public keys

  • Configuration /etc/pam.d/sshd, comment @include common-auth
#@include common-auth
auth required pam_google_authenticator.so


  • Configuration /etc/ssh/sshd_config
LogLevel DEBUG3
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

NOTE that this setup will allow users to login using public keys but MFA will still apply.
Users without a public key cannot login

Setup the MFA client

  • Run google-authenticator

Attention: When you became root using sudo the watch then consider the path vs user home path.
because the authenticator writes it's config in /root while /home/userxyz is ommited. If then copy
the configuration in your home dir after the setup.

  • Sample:
Do you want me to update your "/root/.google_authenticator" file? (y/n)
  • Sample configuration, home/user/.google_authenticator
P4GNO3WIQR4G7BWUB5QLCGMFWY
" WINDOW_SIZE 17
" TOTP_AUTH
55363119
33447175
54957279
34932150
44659216

SSH Client configuration for jump hosts

  • ~/.ssh/config
Host target-server
 Hostname IP-OF-TARGET
 User username (optional)
 ProxyJump username@EXTERNAL-IP-OF-JUMP-SERVER
 IdentityFile ~/.ssh/id_rsa

Alternative methods

  • auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok
  • auth sufficient pam_google_authenticator.so

Reference