How do I require MFA only when it has been set up?

0

I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:

/etc/ssh/sshd_config

X11Forwarding yes
PrintMotd no

AcceptEnv LANG LC_*

Subsystem   sftp    /usr/lib/openssh/sftp-server

AllowUsers me him
PermitRootLogin no
MaxStartups 15
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive

/etc/pam.d/sshd

# Standard Un*x authentication.
#@include common-auth

account    required     pam_nologin.so

# Standard Un*x authorization.
@include common-account

session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_keyinit.so force revoke

@include common-session

session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

session    optional     pam_mail.so standard noenv # [1]

session    required     pam_limits.so

session    required     pam_env.so # [1]

session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open

# Standard Un*x password updating.
@include common-password

auth required pam_google_authenticator.so nullok

From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:

$ ssh him@my_device
him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).

Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?

By the way, this is Ubuntu 18.04 LTS.

Kyle

Posted 2019-03-20T06:40:46.840

Reputation: 161

Answers

0

I noticed an update to the project's README adding information about the nullok option.

PAM requires at least one `SUCCESS` answer from a module, and `nullok`
causes this module to say `IGNORE`. This means that if this option is
used at least one other module must have said `SUCCESS`. One way to do
this is to add `auth required pam_permit.so` to the end of the PAM
config.

from: https://github.com/google/google-authenticator-libpam/commit/5e804ec11104a1ab17ce02d0681130ded037f39b

sergiobuj

Posted 2019-03-20T06:40:46.840

Reputation: 101

Asked: 2019-03-20T06:40:46.840

Viewed: 51 times

Active: 2019-06-14T19:20:47.860