Multi Factor Authentication with SSH

From Coolscript

Revision as of 12:02, 23 December 2020 by Admin (talk | contribs) (→‎Reference)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

This is howto setup MFA using the Google Authenticator.

Installation

Only one package is required to install:

apt install libpam-google-authenticator

Default Setup

Configuration /etc/pam.d/sshd

Put the following sting underneath of @include common-auth

auth required pam_google_authenticator.so

Configuration /etc/ssh/sshd_config

LogLevel DEBUG3
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

NOTE that this setup will allow users to bypass the MFA setup when using public keys

Enforce MFA together with public keys

Configuration /etc/pam.d/sshd, comment @include common-auth

#@include common-auth
auth required pam_google_authenticator.so

Configuration /etc/ssh/sshd_config

LogLevel DEBUG3
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

NOTE that this setup will allow users to login using public keys but MFA will still apply.
Users without a public key cannot login

Alternative methods

auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok

auth sufficient pam_google_authenticator.so

Reference

https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages

'https://serverfault.com/questions/629883/trying-to-get-ssh-with-public-key-no-password-google-authenticator-working-o
'https://www.techrepublic.com/article/how-to-combine-ssh-key-authentication-and-two-factor-authentication-on-linux/

Retrieved from "https://coolscript.org/index.php?title=Multi_Factor_Authentication_with_SSH&oldid=246"