0
I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login
. This will create ~/.google_authenticator
in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config
and pam.d
. Here they are, with comments removed:
/etc/ssh/sshd_config
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
AllowUsers me him
PermitRootLogin no
MaxStartups 15
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
/etc/pam.d/sshd
# Standard Un*x authentication.
#@include common-auth
account required pam_nologin.so
# Standard Un*x authorization.
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so nullok
From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:
$ ssh him@my_device
him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).
Once the .google_authenticator
file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator
is not present?
By the way, this is Ubuntu 18.04 LTS.