Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2FA/MFA for SSH does not work as described #74

Open
B1ack3ye opened this issue Oct 16, 2021 · 5 comments
Open

2FA/MFA for SSH does not work as described #74

B1ack3ye opened this issue Oct 16, 2021 · 5 comments
Assignees
@imthenachoman

Comments

@B1ack3ye
Copy link

I followed the instructions step by step and it did not work for me at the beginning.

My solution how it works for me:
In the file /etc/ssh/sshd_config I had to add AuthenticationMethods publickey,keyboard-interactive

And I removed the nullok in the file /etc/pam.d/sshd.
But I don't know if this is necessary.
@imthenachoman imthenachoman self-assigned this Jan 16, 2022
@imthenachoman
Copy link
Owner

Humm. What distribution are you on? I do not recall having this issue.

@Mondei1
Copy link

Mondei1 commented May 6, 2022

In my case the 2FA doesn't work. SSH just skips that part entirely.

Basically, I type in ssh user@host, I enter my password and it drops me into the shell instantly without asking me for a 2FA code. The suggestions by @B1ack3ye don't help in my case. My /etc/ssh/sshd_config is the exact same as described in the README and I also added that line into the PAM config. Is it maybe because the request comes from the inside of the network?

Distro: Ubuntu 22.04 (Desktop version, inside VM)

@igormuba
Copy link

igormuba commented Jul 5, 2022

Same. The configurations allow me to connect without 2FA.
If I add the line AuthenticationMethods publickey,keyboard-interactive then the issue is that the 2FA code does not work, the code is right, I left the flexible settings on the authenticator, but codes don't work.

@AngeloThys
Copy link

As stated in the guide, the steps don't set up MFA to work with public key authentication.

However, the guide states that in the 'documentation' it should be specified, this is not the case:
there is no information about setting up 2FA/MFA with public key authentication, neither on the repo nor in the manual.

My opinion is that, since we're setting up SSH to only use public key authentication, this setup should a) be provided as alternative steps, or b) not provided.

@AngeloThys
Copy link

Steps For Public Key + TOTP MFA

Modify PAM's SSH configuration file to enable MFA

Add the following line to /etc/pam.d/sshd:

auth required pam_google_authenticator.so nullok

This line states that MFA is required for SSH login,
unless MFA has not been set up yet for the user.

Comment out the following lines in /etc/pam.d/sshd:

# We only want PAM to handle MFA, not password auth
# Standard Un*x authentication.
# @include common-auth

# As stated before, PAM will not handle password auth
# Standard Un*x password updating.
# @include common-password

Modify sshd_config to enable MFA

Add the following line to /etc/ssh/sshd_config:

# Explicitly set public key authentication
PubkeyAuthentication yes

# Activate keyboard authentication to be able to enter our TOTP
KbdInteractiveAuthentication yes

# Set authentication methods
AuthenticationMethods publickey,keyboard-interactive:pam

# Activate PAM to be able to use google auth pam module
UsePAM yes

Restart the SSH service

sudo systemctl restart sshd

This configuration will require us to have a private key,
and a TOTP MFA code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@imthenachoman imthenachoman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@imthenachoman @igormuba @Mondei1 @B1ack3ye @AngeloThys