Multi Factor Authentication with SSH: Difference between revisions
Jump to navigation
Jump to search
| Line 32: | Line 32: | ||
NOTE that this setup will allow users to login using public keys but MFA will still apply. <br> | NOTE that this setup will allow users to login using public keys but MFA will still apply. <br> | ||
Users without a public key cannot login | Users without a public key cannot login | ||
=Alternative methods= | |||
* auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok | |||
* auth sufficient pam_google_authenticator.so | |||
Revision as of 12:01, 23 December 2020
This is howto setup MFA using the Google Authenticator.
Installation
- Only one package is required to install:
apt install libpam-google-authenticator
Default Setup
- Configuration /etc/pam.d/sshd
Put the following sting underneath of @include common-auth
auth required pam_google_authenticator.so
- Configuration /etc/ssh/sshd_config
LogLevel DEBUG3 PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes
NOTE that this setup will allow users to bypass the MFA setup when using public keys
Enforce MFA together with public keys
- Configuration /etc/pam.d/sshd, comment @include common-auth
#@include common-auth auth required pam_google_authenticator.so
- Configuration /etc/ssh/sshd_config
LogLevel DEBUG3 PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive
NOTE that this setup will allow users to login using public keys but MFA will still apply.
Users without a public key cannot login
Alternative methods
* auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok
* auth sufficient pam_google_authenticator.so