0

I'm attempting to configure two factor authentication when using SSH to connect to my redhat ec2 instance.

I would like to configure it like this:

  • If user has both ssh key and google auth set up, use these two factors
  • If user has no ssh key, use password and google auth
  • if user only has password, this is all that is needed

I have it partially working but with the current configuration, the problems that I am facing right now are:

  • User with only a password set up is prompted for password twice but is still granted access(not my main concern)
  • User with google authenticator configured is prompted for a password, password is entered and now they are prompted for the verification code. If you type the wrong verification code, you are given another password prompt and this will give you access without the verification code, making google authenticator useless.

My configuration settings:

/etc/pam.d/sshd

#%PAM-1.0

auth       required     pam_sepermit.so
auth       [success=done new_authtok_reqd=ok default=ignore]   pam_google_authenticator.so nullok
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin

/etc/ssh/sshd_config

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key



SyslogFacility AUTHPRIV


PermitRootLogin no

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys




PasswordAuthentication yes

ChallengeResponseAuthentication yes


GSSAPIAuthentication no
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes


AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem sftp  /usr/libexec/openssh/sftp-server


Match all
        AuthenticationMethods publickey,keyboard-interactive:pam password,keyboard-interactive:pam
Jquinn
  • 1
  • So if a user has only a password then they can log in. That kind of makes everything else pointless, doesn't it? – joeqwerty Jul 10 '18 at 15:17
  • No, users that want extra protection can decide to use an ssh key or google authenticator. If they would like to use minimal protection on their account then that is fine – Jquinn Jul 10 '18 at 15:28

0 Answers0