Ssh – Combination of SSH key auth, and two-factor authentication

pampasswordsshtwo-factor

I was wondering if it is possible to accomplish the following, all at the same time:

Disable root logins
Enable SSH login for personal user, only via SSH keys
Enable SSH login for unprivileged user, with password authentication and two-factor authentication only

Using the Match block in sshd_config I was able to set this up so that in general PasswordAuthentication was disabled except for the unprivileged user (lets call it peon). SSH keys were required for logging in to the personal user (who has sudo capabilities).

However, when I try to enable two-factor authentication (pam_google_authenticator) I have to turn on ChallengeResponseAuthentication which seems to not work in a Match block, and is therefore turning password authentication back on for everyone.

Is there a way to accomplish this? I'm not overly great with this type of stuff, so detailed explanations would be really appreciated.

Thanks!

Best Answer

Recent versions of openssh include the AuthenticationMethods option:

Debian backported openssh-6.2 a while back, so I expect this to be available in Raspbian as well.

Specifies the authentication methods that must be successfully completed for a user to be granted access.

You can have the main block of your sshd_config with ChallengeResponseAuthentication enabled:

ChallengeResponseAuthentication yes
PasswordAuthentication no
PermitRootLogin no

and then use AuthenticationMethods in your Match blocks (use Group matching instead of User matching to ease scalabity):

Match Group personal
  AuthenticationMethods publickey

Match Group peon
  PasswordAuthentication yes
  AuthenticationMethods publickey,keyboard-interactive

Aditionally, you can use pam_succeed_if(8) to trigger the two-factor-authentication only if a matching group requires it:

 auth required pam_succeed_if.so quiet user ingroup peon

Related Solutions

Ubuntu SSH – How to Set Up SSH with Public Key and Google Authenticator on Ubuntu 14.04.1

Have got it working well, first did:

apt-get install libpam-google-authenticator

In /etc/pam.d/sshd I have changed/added the following lines (at the top):

# @include common-auth
auth required pam_google_authenticator.so

And in /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication no

Works well and I now receive a "Verification code" prompt after authentication with public key. I am not sure how I would allow authentication with password+token OR key+token, as I have now effectively removed the password authentication method from PAM.

Using Ubuntu 14.04.1 LTS (GNU/Linux 3.8.0-19-generic x86_64) with ssh -v : OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014

SSH Key Authentication – How to Set Up SSH Key Authentication Using LDAP

Update LDAP to include the OpenSSH-LPK schema

We first need to update LDAP with a schema to add the sshPublicKey attribute for users:

dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
    DESC 'MANDATORY: OpenSSH Public key'
    EQUALITY octetStringMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
    DESC 'MANDATORY: OpenSSH LPK objectclass'
    MAY ( sshPublicKey $ uid )
    )

Create a script that queries LDAP for a user's public key:

The script should output the public keys for that user, example:

ldapsearch '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

Update `sshd_config` to point to the script from the previous step

AuthorizedKeysCommand /path/to/script
AuthorizedKeysCommandUser nobody

Bonus: Update sshd_config to allow password authentication from internal RFC1918 networks as seen in this question:

Only allow password authentication to SSH server from internal network

Useful links:

EDIT: Added user nobody as suggested TRS-80