SSH authentication: either SSH keys or one time password

ssh security password authentication pam
9,894

Solution 1

Edit: sorry for answering my own question! (The other two answers are great, but don't completely answer the question. But still very helpful!)

The OTPassword Pluggable Authentication Module implements Steve Gibson's Perfect Paper Password system in a PAM for Linux. Once you install that, you'll have PPP authentication. But what about a ssh keys bypass? An FAQ on their site answers this question:

If you have a trusted machine from which you often log into your remote system use ssh keys. Generate them with ssh-keygen, and copy your new ~/.ssh/id_rsa.pub into ~/.ssh/authorized_keys on remote computer. When SSH authenticates user with keys it omits PAM.

Conveniently automatic!

Edit: Google Authenticator and Duo Security also seem like good solutions. They don't provide one time passwords on paper; instead they use your smartphone to generate a constantly changing TOTP key. (Duo Security also works with dumbphones by sending them a text message with a couple of one time passwords. However Duo Security is not local; you must rely on their servers...)

Solution 2

Although this method doesn't check for 1 method of authentication, it does solve the problem of logging in from insecure/not-trusted machines using OTP.

To configure the SSH daemon to listen on multiple ports (one for public key authentication and the other for OTP authentication), simply add another port number to the sshd_config file, i.e. 

Port 22 # For key-based auth
Port 60000 # For OTP-based auth

The 2-FA is based on Google’s 2-step authentication technology. To install the library and the program:

$ sudo apt-get install libpam-google-authenticator

Meanwhile, install the Google Authenticator app on your smartphone. Once installed, from the terminal, start up the program:

$ google-authenticator

This will give you a barcode, a secret and a bunch of scratch codes. KEEP THEM SAFE!!! If you don’t have access to your phone or otherwise need emergency access these codes will be your only way in. Don’t underestimate how important this backup mechanism is. It might screw you in the long run. Configure the PAM module to use Google Authenticator:

$ sudo nano /etc/pam.d/sshd

To disable password login therafter, put a # in front of the line @include common-auth. Also, to the bottom of the file, add:

auth required pam_google_authenticator.so

To enable OTP authentication:

$ sudo nano /etc/ssh/sshd_config

Find the line with the phrase: ChallengeResponseAuthentication and change it from “no” to “yes”.

Set PermitRootLogin no and PasswordAuthentication no.

At the end of the file, use the “match” parameter to determine which authentication mechanism(s) have to be used to access the machine from that port, for example:

Match LocalPort 22
    PasswordAuthentication no
    AuthenticationMethods publickey
    PubKeyAuthentication yes
​
Match LocalPort 60000
    AuthenticationMethods keyboard-interactive:pam

The parameter “keyboard-interactive:pam” forces the SSH daemon to go to the PAM module daemon (configured under /etc/pam.d/sshd) and authenticate as specified there (hence the need to disable password login from the PAM module as well, by hashing out the common-auth line). Don’t forget to restart your SSH daemon for the changes to take effect:

$ sudo /etc/init.d/sshd restart

Then, when at a non-trusted machine, simply SSH into port 60000 (or whatever you set) and use OTP to authenticate.

Solution 3

Public-Key-Authentication with OTP as fallback (that's what you meant, right?):

  1. Public-Key-Auth with Password fallback is OpenSSH's default behaivour
  2. How your password gets verified is best defined in the PAM configuration files

Solution 4

This can be simple but there are also a few pitfalls to avoid:

Most of your config changes need to happen in the sshd_config file usually located at /etc/ssh/sshd_config

You already have shared keys running so I will skip that here:

The line you want to pay attention to is:

PasswordAuthentication yes

The caveats you want to be aware of are in limiting who can login and how. These should ALL be in place to restrict access to as small a group of users as possible:

PermitEmptyPasswords no
AllowUsers [email protected].*
AllowGroups sshusers

There are many options you can set here review the man page for the full set of options available.

I would recommend setting up a group just for ssh permissions.

The following flag is also strongly recommend:

PermitRootLogin no

This will get the daemon to request a password if the key is not sent/reconigized. You can add the hurdle of OTPW if you like but you are theoretically in an encrypted environment so it shouldn't strictly be necessary. Having looked at the OTPW information you linked the code seems to have last been updated 2003 I would be loathe to use it, without getting some peer review. Secure coding practices and indeed the whole environment have changed a lot since then.

Share:
9,894

Related videos on Youtube

mr_schlomo
Author by

mr_schlomo

Updated on September 18, 2022

Comments

  • mr_schlomo
    mr_schlomo over 1 year

    I have an Ubuntu 10.04 Linux server that I normally ssh into (from my home machine) using ssh key authentication. However, sometimes I need to ssh remotely from potentially insecure machines (like internet cafes, public computers at the library, etc) on which my password could become compromised. In this case, I'd want to use a one-time password system like OTPW or Steve Gibson's Perfect Paper Passwords.

    How can I configure my server to first check for ssh keys, then use an OTPW system for authentication? (Would I have to make two users?)

  • mr_schlomo
    mr_schlomo over 12 years
    Also, Barada is another solution that looks promising; instead of paper one-time passwords, it uses a smartphone to generate the password from a PIN you supply. If you are on a trusted system you can just enter your standard password.
  • mr_schlomo
    mr_schlomo over 12 years
    A more active project is Google Authenticator.
  • mr_schlomo
    mr_schlomo over 12 years
    Sorry to add another comment, but I found Duo Security which also looks like a great optw/dual factor authentication option.
  • Mat
    Mat over 12 years
    You should edit your answer to include all that.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I create one user without key authentication?
How can I use a passcode generator for authentication for remote logins?
How can I allow SSH password authentication from only certain IP addresses?
Why is there a big delay after entering a wrong password?
google authenticator for certain users
Is there a way to lock my browser with a password?
Disable PAM module for group
How do I enforce a password complexity policy?
What is the least insecure way to store a password that is used by a script?
How do you set requirements (such as minimum length) on passwords?