I'm attempting to configure two factor authentication when using SSH to connect to my redhat ec2 instance.
I would like to configure it like this:
- If user has both ssh key and google auth set up, use these two factors
- If user has no ssh key, use password and google auth
- if user only has password, this is all that is needed
I have it partially working but with the current configuration, the problems that I am facing right now are:
- User with only a password set up is prompted for password twice but is still granted access(not my main concern)
- User with google authenticator configured is prompted for a password, password is entered and now they are prompted for the verification code. If you type the wrong verification code, you are given another password prompt and this will give you access without the verification code, making google authenticator useless.
My configuration settings:
/etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth [success=done new_authtok_reqd=ok default=ignore] pam_google_authenticator.so nullok
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
/etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
Match all
AuthenticationMethods publickey,keyboard-interactive:pam password,keyboard-interactive:pam