0

I have installed and configured PAM on my Ubuntu server which is working correctly. To log in I want to require an SSH Key to be installed, a password to be provided and a valid code from an authenticator app.

The issue that I have is that I would like to add exceptions to these requirements on a per-user basis.

For example, I want to enforce all of these auth methods for my user account, but specify another user (git - for my GitLab installation) to be accessed by SSH key only (no password or 2FA code required) so the push and pull behaviour works.

The only way I have found to get round this at the moment is to set auth required pam_google_authenticator.so nullok in the /etc/pam.d/sshd file, so the 2FA part is optional, as well as commenting out the @include common-auth line. This however means that while the 2FA part works, I am no longer asked for my password on my main account.

I have tried to do the following:

auth [success=1 default=ignore] pam_succeed_if.so user in git
@include common-auth

but this doesnt seem to work.

What do I need to do to enable all of the above auth methods by default, but add exceptions for specific user accounts like git etc?

Ben Turner
  • 101
  • 4

1 Answers1

4

Let's break down these requirements a bit.

Configuring SSH

First, in order to require public keys and password to provide, you need to modify your /etc/ssh/sshd_config by adding this line:

AuthenticationMethods publickey,keyboard-interactive

This way, everyone must have a public key, and must be able to provide their password upon login.

To make exceptions, use the Match block. For example, let's assume that users who aren't restricted are in the come-as-please group. Then add these line to the end of the sshd_config file:

Match Group come-as-please
    AuthenticationMethods publickey keyboard-interactive

Note the absence of the comma, which means that members of the group may use either public key, or keyboard-interactive (password) authentication.

Configuring google-authenticator

To use google authenticator module, you meed to modify the /etc/pam.d/sshd file. After the

@include common-auth

line, add this one:

auth    required        pam_google_authenticator.so nullok

Also, in order to enable two-factor authentication, you need to modify your /etc/ssh/sshd_config file, adding this line:

ChallengeResponseAuthentication yes

After this, restart the SSH daemon.

Setting user access

After the above modifications, you have the following access settings:

  • Every user must have a public key installed, and must supply a password.
  • If there is a .google_authenticator file in the user's home directory, then they must supply the corresponding authenticator code as well.
  • Anyone who is member of the come-as-please group:
    • If they have a public key installed, they do not need to supply a password or the authenticator code, whether they have the .google_authenticator file in their home or not,
    • If they don't have a public key installed, they need to specify a password. They need to supply the authenticator code if the .google_authenticator file exists in their home directory.
Lacek
  • 6,585
  • 22
  • 28
  • Don't forget to add `auth required pam_permit.so` to the end of the `/etc/pam.d/sshd` when using `nullok` option https://github.com/google/google-authenticator-libpam#nullok – だらんぎん じょん Feb 22 '22 at 08:08