SSH authentication: (public key xor password) + google authenticator code

debiangoogle-authenticatorpamsshtwo-factor-authentication

I'm using Debian bullseye. I'm trying to set up SSH two types logins:

password + code from Google's Authenticator (if user set it, "nullok" option),
public key + code from Google's Authenticator (if user set it, "nullok" option).

Type #1 works for me.
In type #2 I have public key + password (not public key passphrase) + code from GA. I added this line to /etc/ssh/sshd_config

AuthenticationMethods publickey,keyboard-interactive keyboard-interactive

I'd like to user won't be prompted for password if key was supplied. Precisely, how to bypass pam_unix.so demand if public key was provided?

Is there any way to accomplish what I want on one machine? Thanks in advance.

Best Answer

Probably I solved it.

CERN's PAM_2FA project contains minor pam module: pam_ssh_user_auth.so. This module can tell PAM if there was any previously successful sshd authentications like public key (PAM_SUCCESS). So I made following changes in:

/etc/ssh/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication yes 
UsePAM yes 
AuthenticationMethods keyboard-interactive:pam publickey,keyboard-interactive:pam

/etc/pam.d/sshd:

auth    [success=2 ignore=ignore default=die]   pam_ssh_user_auth.so
auth    [success=1 default=ignore]      pam_unix.so nullok
auth    requisite                       pam_deny.so
auth    [success=ok ignore=ignore default=bad]        pam_google_authenticator.so nullok
auth    required        pam_permit.so

It allows to skip prompt for password when public key was given.

Related Solutions

SSH keys fail for one user

Two parts: first, turn up debugging on your ssh sever. Edit /etc/ssh/sshd_config and increase LogLevel to DEBUG. Then force your ssh server to reload it's config with killall -HUP <sshd pid>.

That will cause the server to add much more details to your /var/log/secure and/or /var/log/auth logfiles.

Secondly (actually you cant try this first), increase the debug level on the client side. ssh in to the box with

$ ssh -vvv hostname

and that will print out lots more info about where the process is failing.

If you do turn up the debug level on your ssh server, don't forget to turn it back down when you are finished.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

SSH keys fail for one user

Ssh – How to automate SSH login with password

Related Topic