Multi Factor Authentication with SSH: Difference between revisions
Jump to navigation
Jump to search
| (8 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
=Default Setup= | =Default Setup= | ||
*Configuration /etc/pam.d/sshd | *Configuration /etc/pam.d/sshd | ||
Put the following sting underneath of @include common-auth | Put the following sting underneath of '''@include common-auth''' | ||
auth required pam_google_authenticator.so | auth required pam_google_authenticator.so | ||
| Line 16: | Line 16: | ||
'''NOTE''' that this setup will allow users to bypass the MFA setup when using '''public keys''' | '''NOTE''' that this setup will allow users to bypass the MFA setup when using '''public keys''' | ||
=Enforce MFA together with public keys= | |||
*Configuration /etc/pam.d/sshd, comment '''@include common-auth''' | |||
#@include common-auth | |||
auth required pam_google_authenticator.so | |||
*Configuration /etc/ssh/sshd_config | |||
LogLevel DEBUG3 | |||
PasswordAuthentication no | |||
ChallengeResponseAuthentication yes | |||
UsePAM yes | |||
'''AuthenticationMethods publickey,keyboard-interactive''' | |||
NOTE that this setup will allow users to login using public keys but MFA will still apply. <br> | |||
Users without a public key cannot login | |||
=Setup the MFA client= | |||
*Run google-authenticator | |||
'''Attention:''' When you became root using sudo the watch then consider the path vs user home path.<BR> | |||
because the authenticator writes it's config in /root while /home/userxyz is ommited. If then copy<BR> | |||
the configuration in your home dir after the setup. | |||
*Sample: | |||
Do you want me to update your "'''/root/.google_authenticator'''" file? (y/n) | |||
*Sample configuration, home/user/.google_authenticator | |||
P4GNO3WIQR4G7BWUB5QLCGMFWY | |||
" WINDOW_SIZE 17 | |||
" TOTP_AUTH | |||
55363119 | |||
33447175 | |||
54957279 | |||
34932150 | |||
44659216 | |||
=SSH Client configuration for jump hosts= | |||
*~/.ssh/config | |||
Host target-server | |||
Hostname IP-OF-TARGET | |||
User username (optional) | |||
ProxyJump username@EXTERNAL-IP-OF-JUMP-SERVER | |||
IdentityFile ~/.ssh/id_rsa | |||
=Alternative methods= | |||
* auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok | |||
* auth sufficient pam_google_authenticator.so | |||
=Reference= | |||
*https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages<br> | |||
*https://serverfault.com/questions/629883/trying-to-get-ssh-with-public-key-no-password-google-authenticator-working-o<br> | |||
*https://www.techrepublic.com/article/how-to-combine-ssh-key-authentication-and-two-factor-authentication-on-linux/<br> | |||
Latest revision as of 12:20, 23 December 2020
This is howto setup MFA using the Google Authenticator.
Installation
- Only one package is required to install:
apt install libpam-google-authenticator
Default Setup
- Configuration /etc/pam.d/sshd
Put the following sting underneath of @include common-auth
auth required pam_google_authenticator.so
- Configuration /etc/ssh/sshd_config
LogLevel DEBUG3 PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes
NOTE that this setup will allow users to bypass the MFA setup when using public keys
Enforce MFA together with public keys
- Configuration /etc/pam.d/sshd, comment @include common-auth
#@include common-auth auth required pam_google_authenticator.so
- Configuration /etc/ssh/sshd_config
LogLevel DEBUG3 PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive
NOTE that this setup will allow users to login using public keys but MFA will still apply.
Users without a public key cannot login
Setup the MFA client
- Run google-authenticator
Attention: When you became root using sudo the watch then consider the path vs user home path.
because the authenticator writes it's config in /root while /home/userxyz is ommited. If then copy
the configuration in your home dir after the setup.
- Sample:
Do you want me to update your "/root/.google_authenticator" file? (y/n)
- Sample configuration, home/user/.google_authenticator
P4GNO3WIQR4G7BWUB5QLCGMFWY " WINDOW_SIZE 17 " TOTP_AUTH 55363119 33447175 54957279 34932150 44659216
SSH Client configuration for jump hosts
- ~/.ssh/config
Host target-server Hostname IP-OF-TARGET User username (optional) ProxyJump username@EXTERNAL-IP-OF-JUMP-SERVER IdentityFile ~/.ssh/id_rsa
Alternative methods
- auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok
- auth sufficient pam_google_authenticator.so
Reference
- https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages
- https://serverfault.com/questions/629883/trying-to-get-ssh-with-public-key-no-password-google-authenticator-working-o
- https://www.techrepublic.com/article/how-to-combine-ssh-key-authentication-and-two-factor-authentication-on-linux/