1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Require SSH key + Google Authenticator for one account, SSH key only for another

Discussion in 'Main Forum' started by Yankee, Sep 12, 2018.

  1. Yankee

    Yankee Guest

    I am trying to setup an SSH authentication structure, but I'm struggling with issues in /etc/ssh/sshd_config vs /etc/pam.d/sshd.

    Requirements:

    1. Accounts with root/sudo privileges
      • require public key authentication, followed immediately by
      • Google Authenticator
    2. Unprivileged accounts
      • require only public key authentication

    In other words, password based authentication should not be allowed, and public key authentication is always required, with Google Authenticator being conditionally required

    What is working:


    Privileged accounts work exactly as I need: public key followed by Google Authenticator. I also verified that public keys missing from ~/.ssh/authorized_keys are rejected, and verified that login attempts without supplying any key are rejected.

    What is not working:


    Unprivileged accounts seem to correctly prompt for the password to unlock the private key, and I think the key succeeds. But authentication fails with the message:

    Permission denied (keyboard-interactive).




    $ ssh -v -i id_rsa_unprivileged unprivileged@blahblah
    debug1: Server accepts key: pkalg ssh-rsa blen 2071
    Enter passphrase for key 'id_rsa_unprvileged':
    Authenticated with partial success.
    debug1: Authentications that can continue: keyboard-interactive
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue: keyboard-interactive
    debug1: No more authentication methods to try.
    unprivileged@blahblah: Permission denied (keyboard-interactive).




    $ sudo cat /var/log/auth.log
    Sep 3 00:44:13 hostname sshd[4249]: pam_succeed_if(sshd:auth): requirement "user ingroup 2faexempt" was met by user "unprivileged"
    Sep 3 00:44:13 hostname sshd[4247]: error: PAM: Permission denied for unprivileged from IP ADDRESS
    Sep 3 00:44:13 hostname sshd[4247]: Connection closed by IP ADDRESS port PORT [preauth]


    Note: Unprivileged accounts are correctly rejecting public keys missing from ~/.ssh/authorized_keys, and are rejecting login attempts that don't supply a key.

    What I did:


    My strategy was to create a group called "2faexempt", and add those accounts which should be exempted from 2 factor authentication (the unprivileged accounts). Then I edited /etc/ssh/sshd and /etc/pam.d/sshd to reflect the policy I need.

    $ cat /etc/ssh/sshd_config
    # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options override the
    # default value.

    Port 22
    AddressFamily inet
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_ecdsa_key
    #HostKey /etc/ssh/ssh_host_ed25519_key

    # Ciphers and keying
    #RekeyLimit default none

    # Logging
    #SyslogFacility AUTH
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 2m
    PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10

    PubkeyAuthentication yes

    # Expect .ssh/authorized_keys2 to be disregarded by default in future.
    AuthorizedKeysFile .ssh/authorized_keys

    #AuthorizedPrincipalsFile none

    #AuthorizedKeysCommand none
    #AuthorizedKeysCommandUser nobody

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    #PermitEmptyPasswords no

    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication yes

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication. Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes

    # USER ADDED
    #
    AuthenticationMethods publickey,keyboard-interactive

    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PermitTTY yes
    PrintMotd no
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation sandbox
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS no
    #PidFile /var/run/sshd.pid
    #MaxStartups 10:30:100
    #PermitTunnel no
    #ChrootDirectory none
    #VersionAddendum none

    # no default banner path
    #Banner none

    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*

    # override default of no subsystems
    Subsystem sftp /usr/lib/openssh/sftp-server

    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    # X11Forwarding no
    # AllowTcpForwarding no
    # PermitTTY no
    # ForceCommand cvs server




    $ cat /etc/pam.d/sshd
    # PAM configuration for the Secure Shell service

    # USER COMMENTED
    #
    ## Standard Un*x authentication.
    #@include common-auth

    # Disallow non-root logins when /etc/nologin exists.
    account required pam_nologin.so

    # Uncomment and edit /etc/security/access.conf if you need to set complex
    # access limits that are hard to express in sshd_config.
    # account required pam_access.so

    # Standard Un*x authorization.
    @include common-account

    # SELinux needs to be the first session rule. This ensures that any
    # lingering context has been cleared. Without this it is possible that a
    # module could execute code in the wrong domain.
    session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

    # Set the loginuid process attribute.
    session required pam_loginuid.so

    # Create a new session keyring.
    session optional pam_keyinit.so force revoke

    # Standard Un*x session setup and teardown.
    @include common-session

    # Print the message of the day upon successful login.
    # This includes a dynamically generated part from /run/motd.dynamic
    # and a static (admin-editable) part from /etc/motd.
    session optional pam_motd.so motd=/run/motd.dynamic
    session optional pam_motd.so noupdate

    # Print the status of the user's mailbox upon successful login.
    session optional pam_mail.so standard noenv # [1]

    # Set up user limits from /etc/security/limits.conf.
    session required pam_limits.so

    # Read environment variables from /etc/environment and
    # /etc/security/pam_env.conf.
    session required pam_env.so # [1]
    # In Debian 4.0 (etch), locale-related environment variables were moved to
    # /etc/default/locale, so read that as well.
    session required pam_env.so user_readenv=1 envfile=/etc/default/locale

    # SELinux needs to intervene at login time to ensure that the process starts
    # in the proper default security context. Only sessions which are intended
    # to run in the user's context should be run after this.
    session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

    # Standard Un*x password updating.
    @include common-password

    # USER ADDED
    #
    auth [success=1 default=ignore] pam_succeed_if.so user ingroup 2faexempt
    auth sufficient pam_google_authenticator.so

    Login To add answer/comment
     

Share This Page