2 Factor Authentication in SSH using public key and PAM
It's quite easy for "publickey->password->your_module" or "password->your_module". Can't find the way to remove password from the first chain
publickey,keyboard-interactive - means that publickey auth will be used and keyboard-interactive after that (kind of logical AND), replace comma with space for logical OR, like
AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam
Related videos on Youtube
Matt3o12
Updated on September 18, 2022Comments
-
Matt3o12 over 1 year
I'm trying to setup 2 Factor Authentication. I want the user to login successfully if:
- The public private/public key matches (authentication method: publickey) or the password is correct
- My pam authentication method is successful.
The second authentication method is a PAM file. So I place it into
/usr/lib/pam/
and addedauth required my_pam_module.so
in/etc/pam.d/sshd
.
So far I can either log in using the (publickey method) or (a password and whatever is required by me pam module). So I addedAuthenticationMethods publickey,keyboard-interactive
in/etc/sshd_config
and now I'm required to have the public key, password, and "whatever is required by me pam module".What lines do I need to change in order to achieve what I described above? I'm using Mac OS X Mavericks (10.9). If you aren't familiar with Mac, it could also help what you'd do on your Linux system.
-
Matt3o12 almost 10 yearsWhen I write
keyboard-interactive:pam
in the config, I'm getting this error:ssh_exchange_identification: Connection closed by remote host
-
Dmitri Sosnik almost 10 yearsTry to run ssh client in verbose mode, it will give you more information what's going wrong. Like, 'ssh -vvv <hostname>'
-
Matt3o12 almost 10 yearshere is the verbose log of ssh: pastebin.com/hXTaCJ6f. You can also find relevant parts of my server log below (the most recent things sshd was reporting). Do I need to replace pam by "my_pam_method"?
-
Dmitri Sosnik almost 10 yearsJust wondering, have you added "ChallengeResponseAuthentication yes" and "UsePAM yes" to sshd config?
-
Matt3o12 almost 10 yearsIt wasn't set to yes but I changed it, although nothing has changed (still getting the same error). Did it work for you? And if so, what OpenSSL are you using?
-
Dmitri Sosnik almost 10 yearsYep, it works fine for me. There are some my config files, sshd_conf - pastebin.com/19uve9Mr and /etc/pam.d/sshd (pretty much standard ubuntu file, just added pam_google_authenticator.so) - pastebin.com/UdXx8qxy As a result it's either certificate + pwd + google auth pam module or just pwd + google auth. Openssl - 1.0.1