0

I am trying to setup MFA on RHEL 7 and running into a chicken and egg problem. If I enable MFA in pam you can't login to setup your .google-authenticator file. I understand that the nullok option in pam should allow this to work and pass through but I am not having any luck. End goal is publickey ssh access with optional MFA. Note: MFA works fine if I create the .google-authenticator file before enabling pam module.

# ssh client debug *snip*
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug3: start over, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.

# secure log
Sep 29 09:44:28 ip-xxxxxx sshd(pam_google_authenticator)[9502]: debug: start of google_authenticator for "ec2-user"
Sep 29 09:44:28 ip-xxxxxx sshd[9500]: error: PAM: Permission denied for ec2-user from xxxxxxxxxxxx


# /etc/pam.d/sshd
#%PAM-1.0
auth       required pam_sepermit.so
#auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in 
the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
auth required pam_google_authenticator.so nullok debug


# /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp  /usr/libexec/openssh/sftp-server
AuthenticationMethods publickey,keyboard-interactive
MFG
  • 1
  • 1

1 Answers1

1

I'm no pam expert, but your pam config doesn't look right for google auth.

This is my file with nullok added.

cat /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       requisite    pam_google_authenticator.so forward_pass nullok

auth       required     pam_sss.so use_first_pass
#auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

Second, your ssh config is requesting BOTH sshkey AND password you want a space, not a comma

  AuthenticationMethods "publickey" "password"

if you used kerberos + putty-cac, you could do SSO MFA with google auth mfa backup.

AuthenticationMethods "publickey,gssapi-with-mic" "password"

If I understand your question correctly, you should remove nullok, and replace that comma with a space in your AuthenticationMethods config option. Which would allow publickey authentication without a password, or a password with google auth, but NOT a password without google auth.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
  • Thanks for the help. The scenario I am trying to accomplish is: publickey auth only. If the user has setup google-authenticator use it. If they haven't let them login so they can set it up. I can get it so I can log in with publickey no matter what (ignores google-auth) or uses google-auth and I can't login with publickey if google-auth is not setup. Maybe this is not possible... – MFG Sep 29 '17 at 15:01
  • Remove the comma, add a space, restart sshd `publickey,password` = AND `publickey password` = OR – Jacob Evans Sep 29 '17 at 15:07
  • That doesn't work... as soon as you put a space between publickey and keyboard-interactive (not password, not using passwords). No matter if you have google-auth configured for user it just logs in with the key. (ignores google-auth) – MFG Sep 29 '17 at 15:20
  • Correct, you're mixing up sshd config with pam config, you can't disable sshkey auth once google-auth is setup, they two are unaware of each other. – Jacob Evans Sep 29 '17 at 15:25
  • Look at freeipa, it uses sssd and would give you more control which is what it sounds like you need. – Jacob Evans Sep 29 '17 at 15:54