Multi Factor Authentication with SSH: Difference between revisions
Jump to navigation
Jump to search
| Line 6: | Line 6: | ||
=Default Setup= | =Default Setup= | ||
*Configuration /etc/pam.d/sshd | *Configuration /etc/pam.d/sshd | ||
Put the following sting underneath of @include common-auth | Put the following sting underneath of '''@include common-auth''' | ||
auth required pam_google_authenticator.so | auth required pam_google_authenticator.so | ||
| Line 16: | Line 16: | ||
'''NOTE''' that this setup will allow users to bypass the MFA setup when using '''public keys''' | '''NOTE''' that this setup will allow users to bypass the MFA setup when using '''public keys''' | ||
=Enforce MFA together with public keys= | |||
*Configuration /etc/pam.d/sshd, comment '''@include common-auth''' | |||
#@include common-auth | |||
auth required pam_google_authenticator.so | |||
*Configuration /etc/ssh/sshd_config | |||
LogLevel DEBUG3 | |||
PasswordAuthentication no | |||
ChallengeResponseAuthentication yes | |||
UsePAM yes | |||
'''AuthenticationMethods publickey,keyboard-interactive''' | |||
Revision as of 11:56, 23 December 2020
This is howto setup MFA using the Google Authenticator.
Installation
- Only one package is required to install:
apt install libpam-google-authenticator
Default Setup
- Configuration /etc/pam.d/sshd
Put the following sting underneath of @include common-auth
auth required pam_google_authenticator.so
- Configuration /etc/ssh/sshd_config
LogLevel DEBUG3 PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes
NOTE that this setup will allow users to bypass the MFA setup when using public keys
Enforce MFA together with public keys
- Configuration /etc/pam.d/sshd, comment @include common-auth
#@include common-auth auth required pam_google_authenticator.so
- Configuration /etc/ssh/sshd_config
LogLevel DEBUG3 PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive