ssh Keyboard Authentication: when to enter Google Authenticator code

0

These questions seem related:

I believe my circumstances are different enough to start a new thread.

I have set up ssh to use PAM, with Google-Authenticator. I have added the necessary lines to both /etc/ssh/sshd_config and /etc/pam.d/sshd and have set up the Google Authenticator on both computers and the app. The public key of each system is copied on the other.

In /etc/ssh/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam

In /etc/pam.d/sshd:

#%PAM-1.0
auth     required  pam_securetty.so     #disable remote root
# require google authenticator
auth      required  pam_google_authenticator.so
# but not password
#auth      include   system-remote-login
account   include   system-remote-login
password  include   system-remote-login
session   include   system-remote-login

This is the output from ssh -vvv 192.IP.address.0:

OpenSSH_7.4p1, OpenSSL 1.0.2j  26 Sep 2016
...
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ...
...
debug2: service_accept: ssh-userauth
...
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/trespaul/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok
debug3: sign_and_send_pubkey
Enter passphrase for key '/home/trespaul/.ssh/id_rsa': 
debug3: send packet: type 50
debug3: receive packet: type 51
Authenticated with partial success.
debug1: Authentications that can continue: **keyboard-interactive**
debug3: **start over**, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: **keyboard-interactive**
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: **we sent a keyboard-interactive packet**, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (keyboard-interactive).

Between that last two bolds / double stars ("next auth method is kbd interactive" and "we sent a packet"), I am not asked for my OTP. Why is this? What am I missing?

Extra info

I am on Arch. libpam-google-authenticator installed from AUR with make install etc.

Edit: Server log

journalctl on the server has the following:

systemd[1]: Started OpenSSH Per-Connection Daemon (10.0.0.5:38150).
sshd[1376]: PAM unable to dlopen(/usr/lib/security/pam_google_authenticator.so): /usr/lib/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
sshd[1376]: PAM adding faulty module: /usr/lib/security/pam_google_authenticator.so
sshd[1376]: error: PAM: Module is unknown for paul from 10.0.0.5
sshd[1376]: Connection closed by 10.0.0.5 port 38150 [preauth]

Thanks.

TresPaul

Posted 2017-01-10T22:26:25.003

Reputation: 153

1what errors do you see in server log? – Jakuje – 2017-01-11T08:14:20.643

Jakuje, thanks, that completely slipped my mind. It appears /usr/lib/security/pam_google_authenticator.so does not exist. The installation, however, said that it was successfully added to /usr/lib/security. – TresPaul – 2017-01-11T10:22:22.713

Answers

0

libpam-google-authenticator installed from AUR with make install etc.

That's not how you install things from AUR.

An AUR package already has its own build & install instructions – the PKGBUILD file, which already copies the necessary files to their places and even makes a .pkg.tar.gz file with them. The proper way of building one is makepkg:

makepkg -sirc

will build, install, and clean up.

What if your download doesn't have a PKGBUILD in it? Then you downloaded the wrong file. The top-level package sources can be obtained from tthe link in the rightmost box,

user1686

Posted 2017-01-10T22:26:25.003

Reputation: 283 655

Thank you. I didn't mention this, but makepkg gave an error (cd: too many arguments) which stemmed from the PKGBUILD file (I had a look inside...) (And I downloaded from aur.archlinux.org/...git) and so I figured I'd follow the GitHub Readme, but I'll try harder to do it "correctly" from now on! :-) – TresPaul – 2017-01-11T16:30:27.157

@TresPaul: Usually caused by paths with spaces (e.g. …/AUR Package/). Even though most pkgbuilds guard against those, most Makefiles won't – that's why your manual make install failed, too. – user1686 – 2017-01-11T16:43:34.933

Yes, I realized that just now. Apparently this was already a problem in 2004: https://bbs.archlinux.org/viewtopic.php?id=2293

– TresPaul – 2017-01-11T16:47:35.813

1

So I solved this with

sudo cp '.../AUR Package/.libs/pam_google_authenticator.so' /usr/lib/security/pam_google_authenticator.so

The error was the missing .so file, implicating that something went wrong or I missed something during the installation.

This however does not seem like best practice. If someone has a better, more elegant solution, please feel free to add as an answer.

TresPaul

Posted 2017-01-10T22:26:25.003

Reputation: 153

Asked: 2017-01-10T22:26:25.003

Viewed: 1 216 times

Active: 2017-01-11T16:50:35.257