Multi Factor Authentication with SSH: Difference between revisions

From Coolscript
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 32: Line 32:
NOTE that this setup will allow users to login using public keys but MFA will still apply. <br>
NOTE that this setup will allow users to login using public keys but MFA will still apply. <br>
Users without a public key cannot login
Users without a public key cannot login
=Setup the MFA client=
*Run google-authenticator
'''Attention:''' When you became root using sudo the watch then consider the path vs user home path.<BR>
because the authenticator writes it's config in /root while /home/userxyz is ommited. If then copy<BR>
the configuration in your home dir after the setup.
*Sample:
Do you want me to update your "'''/root/.google_authenticator'''" file? (y/n)
*Sample configuration, home/user/.google_authenticator
P4GNO3WIQR4G7BWUB5QLCGMFWY
" WINDOW_SIZE 17
" TOTP_AUTH
55363119
33447175
54957279
34932150
44659216
=SSH Client configuration for jump hosts=
*~/.ssh/config
Host target-server
  Hostname IP-OF-TARGET
  User username (optional)
  ProxyJump username@EXTERNAL-IP-OF-JUMP-SERVER
  IdentityFile ~/.ssh/id_rsa


=Alternative methods=
=Alternative methods=
Line 42: Line 71:


*https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages<br>
*https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages<br>
'https://serverfault.com/questions/629883/trying-to-get-ssh-with-public-key-no-password-google-authenticator-working-o<br>
*https://serverfault.com/questions/629883/trying-to-get-ssh-with-public-key-no-password-google-authenticator-working-o<br>
'https://www.techrepublic.com/article/how-to-combine-ssh-key-authentication-and-two-factor-authentication-on-linux/<br>
*https://www.techrepublic.com/article/how-to-combine-ssh-key-authentication-and-two-factor-authentication-on-linux/<br>

Latest revision as of 12:20, 23 December 2020

This is howto setup MFA using the Google Authenticator.

Installation

  • Only one package is required to install:
apt install libpam-google-authenticator

Default Setup

  • Configuration /etc/pam.d/sshd

Put the following sting underneath of @include common-auth

auth required pam_google_authenticator.so
  • Configuration /etc/ssh/sshd_config
LogLevel DEBUG3
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

NOTE that this setup will allow users to bypass the MFA setup when using public keys

Enforce MFA together with public keys

  • Configuration /etc/pam.d/sshd, comment @include common-auth
#@include common-auth
auth required pam_google_authenticator.so


  • Configuration /etc/ssh/sshd_config
LogLevel DEBUG3
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

NOTE that this setup will allow users to login using public keys but MFA will still apply.
Users without a public key cannot login

Setup the MFA client

  • Run google-authenticator

Attention: When you became root using sudo the watch then consider the path vs user home path.
because the authenticator writes it's config in /root while /home/userxyz is ommited. If then copy
the configuration in your home dir after the setup.

  • Sample:
Do you want me to update your "/root/.google_authenticator" file? (y/n)
  • Sample configuration, home/user/.google_authenticator
P4GNO3WIQR4G7BWUB5QLCGMFWY
" WINDOW_SIZE 17
" TOTP_AUTH
55363119
33447175
54957279
34932150
44659216

SSH Client configuration for jump hosts

  • ~/.ssh/config
Host target-server
 Hostname IP-OF-TARGET
 User username (optional)
 ProxyJump username@EXTERNAL-IP-OF-JUMP-SERVER
 IdentityFile ~/.ssh/id_rsa

Alternative methods

  • auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok
  • auth sufficient pam_google_authenticator.so

Reference