Multi Factor Authentication with SSH: Difference between revisions

From Coolscript
Jump to navigation Jump to search
Line 29: Line 29:
  UsePAM yes
  UsePAM yes
  '''AuthenticationMethods publickey,keyboard-interactive'''
  '''AuthenticationMethods publickey,keyboard-interactive'''
NOTE that this setup will allow users to login using public keys but MFA will still apply. <br>
Users without a public key cannot login

Revision as of 11:57, 23 December 2020

This is howto setup MFA using the Google Authenticator.

Installation

  • Only one package is required to install:
apt install libpam-google-authenticator

Default Setup

  • Configuration /etc/pam.d/sshd

Put the following sting underneath of @include common-auth 

auth required pam_google_authenticator.so
  • Configuration /etc/ssh/sshd_config
LogLevel DEBUG3
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

NOTE that this setup will allow users to bypass the MFA setup when using public keys

Enforce MFA together with public keys

  • Configuration /etc/pam.d/sshd, comment @include common-auth
#@include common-auth
auth required pam_google_authenticator.so


  • Configuration /etc/ssh/sshd_config
LogLevel DEBUG3
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

NOTE that this setup will allow users to login using public keys but MFA will still apply.
Users without a public key cannot login

Retrieved from "https://coolscript.org/index.php?title=Multi_Factor_Authentication_with_SSH&oldid=242"