I'm configuring google two-factor authentication on an outbound server in the company I work for.
Here are the relevant configurations:
/etc/ssh/sshd_config
:
ubuntu@stage-itai-1:~$ egrep -v '^#' /etc/ssh/sshd_config | sed '/^\s*$/d'
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Match Group gauth
AuthenticationMethods publickey,keyboard-interactive
/etc/pam.d/sshd
:
ubuntu@stage-itai-1:~$ egrep -v '^#' /etc/pam.d/sshd | sed '/^\s*$/d'
auth required pam_google_authenticator.so nullok
account required pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
@include common-session
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
@include common-password
Users which are members of the the "gauth" group should be enforced to supply both publickey and Google verification code, that is intended and working.
Users which are not members of the "gauth" group are supposed to be enforced to supply publickey, but in reality they are able to connect to the machine without supplying a publickey nor a password.
There is one special user on the machine which is called "rescue" and this user is supposed to be enforced to supply only a password and it's aim is to never get locked out of the machine but in reality the user is able to connect without a password at all.
My question is, how do I enforce my "supposed" rules, which means that:
- users of the "gauth" group must supply both public-key and Google OTP
- users which are not members of the "gauth" group should be able to log-in only by supplying a public-key.
- user "rescue" should be able to log-in only by supplying a password (or by also supplying a public-key).
How can it be done?
Edit #1:
Following FaCe's answer, I've configured /etc/ssh/sshd_config
like so:
I've changed PasswordAuthentication back to "Yes" and "ChallengeResponseAuthentication" back to "No" for the whole file and then added at the bottom of the file the following lines:
Match Group guath
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Match User rescue
PasswordAuthentication yes
ChallengeResponseAuthentication no
AuthenticationMethods password
After reseting the ssh service I'm unable to log in, no matter which user I'm using, I get the following error:
ssh_exchange_identification: Connection closed by remote host
And nothing is displayed in /var/log/auth.log
.
Can anyone please shed some light on the matter?
Best Answer
You need to use multiple Match Group directives: