I'm trying to set Google-Authenticator (google 2 factor authentication).
The relevant files are:
[root@srv01 ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_google_authenticator.so
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
[root@srv01 ~]# egrep -v '^#' /etc/ssh/sshd_config | sed '/^$/d'
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
UsePAM yes
Match Address 10.13.0.*
PermitRootLogin yes
PasswordAuthentication yes
Following the guides over the internet, in order to enable Google-2fa you need to edit /etc/pam.d/sshd and add this line:
auth required pam_google_authenticator.so
And then you need to edit /etc/ssh/sshd_config and change these lines as follows:
PasswordAuthentication no
ChallengeResponseAuthentication yes
In my case, Google 2FA works and allows the users which have configured google-authenticator to login by providing both OTP and password but when I try to connect to root user on the machine from a machine in the same network my password is rejected (even though it's the correct password). When I try to connect to root@machine the issue looks like so:
Using username "root".
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
And in /var/log/secure:
sshd(pam_google_authenticator)[10990]: Failed to read "/root/.google_authenticator"
I never ran google_authenticator on root's user so I don't know why it's looking for it.
What I'm trying to achieve is as follows:
I want that "PermitRootLogin" will be set to "no" globally (when connecting to the server from the outside world), but that it will be set to "yes" if the remote machine IP Matches the rule which specifies the local network (as can be seen in the configuration file).
I want the users which configured google-2fa to still be able to log in by providing both OTP and password.
It could be that the line in /etc/pam.d/sshd is misplaced but I'm not sure where I should place it.
Anyone knows how to make it work with these rules?
