0

I'm trying to secure an outbound server with Google 2FA solution.

For the time being, I'm first configuring everything on a local Vagrant machine and once everything works as intended I'll run it as an Ansible playbook on the remote outbound machine.

I've configured /etc/ssh/sshd_config like so:

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Match User rescue
    AuthenticationMethods publickey
Match Group gauth
    AuthenticationMethods publickey,keyboard-interactive

and /etc/pam.d/sshd like so:

auth required pam_google_authenticator.so nullok
account    required     pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
@include common-session
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
@include common-password

For some reason, users which are not members of the gauth group are able to log into the machine without supplying any password at all, while looking at the log, I see these lines:

Jun 15 13:35:57 vagrant-ubuntu-trusty-64 sshd[9836]: Accepted keyboard-interactive/pam for ubuntu from 10.0.2.2 port 55495 ssh2
Jun 15 13:35:57 vagrant-ubuntu-trusty-64 sshd[9836]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)

Since it's a vagrant machine it's important to mention that when I connect to the machine for test matters, I run: 

ssh localhost -p 2222 -l username

and not

vagrant ssh machine_name

I've also tried to edit /etc/ssh/sshd_config and edit the PermitRootLogin directive from "without-password" to "no" but to no avail.

I can still login automatically to the machine without supplying any password.

When I remove the "nullok" from the auth line in pam then no user can connect at all and the error message given is:

Permission denied (publickey,keyboard-interactive).

One more thing worth mentioning is that no ssh-keys were exchanged between my Host machine and my Vagrant machine.

Jakuje
  • 9,145
  • 2
  • 40
  • 44
Itai Ganot
  • 10,424
  • 27
  • 88
  • 143

1 Answers1

1

For some reason, users which are not members of the gauth group are able to log into the machine without supplying any password at all

You removed from the PAM stack @include common-auth line in the start, which takes care of normal authentication. If I am right, PAM checks all auth mechanisms in the PAM stack and if one of them "allows" connection (pam_google_authenticator.so nullok obviously does), it allows the connection. It is out of the scope of openssh to know how PAM authentication succeeded.

I've also tried to edit /etc/ssh/sshd_config and edit the PermitRootLogin directive from "without-password" to "no" but to no avail.

You tried root user? It should be denied.

When I remove the "nullok" from the auth line in pam then no user can connect at all

In this case, the only PAM authentication method was pam_google_authenticator.so (with flag required) and if it failed. You are obviously rejected.

Using public key should work in this case though.

Jakuje
  • 9,145
  • 2
  • 40
  • 44
  • Correct. There is a single module in the `auth` stack for `sshd`, which is Google Authenticatior. `nullok` results in the authentication check succeeding if that user has not set up a token. All is working as designed. – Andrew B Jun 16 '16 at 03:20
  • The documentation which I've found online said to comment the `@include common-auth` directive... so how can it be used without commenting it? – Itai Ganot Jun 20 '16 at 08:48
  • What documentation? If you don't comment it out, other authentication methods will be used if the `pam_google_auth` will fail (and if you will not use `required`) – Jakuje Jun 20 '16 at 09:16
  • @Itai I suspect you meant to say "someone's guide", not documentation. This PAM config only makes sense if you're setting a default policy of `AuthenticationMethods publickey,keyboard-interactive` in sshd, which would require someone to pass multiple authentication method checks before being granted access. This is an incredibly bad PAM configuration when `AuthenticationMethods` is operating with its default value. – Andrew B Jun 21 '16 at 19:01
  • @AndrewB: That's the configuration I'm trying to set. All users which are members of the "gauth" group must supply publickey+google authenticator otp, the users which are not in the "gauth" group are supposed to supply on publickey and the special user "rescue" should be able to log in using only a password or publickey+password. – Itai Ganot Jun 22 '16 at 07:42
  • @Itai There is no option in that configuration that sets a default `AuthenticationMethods` policy. If someone is not in those groups, there is nothing restricting them from using `keyboard-interactive`. Your borrowed PAM config is only intended for use on systems that require multiple SSH authentication methods to succeed, *which is not a default*. – Andrew B Jun 22 '16 at 07:50
  • @AndrewB, so what you're saying is that `AuthenticationMethods` should be set per match rule? if that's the case then I've tried it as well but to no avail... and this system which i'm configuring does require multiple ssh authentication methods... – Itai Ganot Jun 22 '16 at 08:12
  • I am saying that `AuthenticationMethods publickey` should be your default policy and not inside of a match rule, yes. I'm going to be stepping away from the Q&A at this point, the problem has been restated several times.now. – Andrew B Jun 22 '16 at 14:21