I'm trying to enable 2FA with ssh using libpam-google-authenticator. Not all users need authenticator enabled. Everybody uses ssh public keys, and nobody has a password. I'm running Debian buster, and I've also tried libpam-google-authenticator from bullseye.
My problem is that no matter what I put in the PAM config, users without authenticator enabled are never logged straight in, but always asked for a password.
I've install libpam-google-authenticator and configured /etc/ssh/sshd_config with:
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication no
PermitEmptyPasswords no
I haven't been able to work out the correct PAM config so that users without a .google_authenticator file are still logged in. Depending on what I use, users are either prompted for a password (they don't have one), or not allowed in at all.
In /etc/pam.d/sshd I've tried (like this Trying to get SSH with public key (no password) + google authenticator working on Ubuntu 14.04.1):
#@include common-auth
auth required pam_google_authenticator.so debug nullok
In this case, users without an authenticator setup get rejected with the following debug;
Aug 05 15:11:18 <host> sshd(pam_google_authenticator)[746624]: debug: start of google_authenticator for "<user>"
Aug 05 15:11:18 <host> sshd(pam_google_authenticator)[746624]: debug: end of google_authenticator for "<user>" Result: The return value should be ignored by PAM dispatch
Aug 05 15:11:18 <host> sshd[746620]: error: PAM: Permission denied for <user> from <IP>
Is pam_permit
is needed to set up the fallback case?
I've also tried various combinations of auth required
and auth sufficient
before and after @include common-auth
but they all result in users without authenticator being asked for a password and sometimes users WITH authenticator also being asked for a password.
Does anyone have a recipe to make this work?
Best Answer
Here is my working configuration. Some users have authenticator enabled and some don't, and only SSH logins with public keys are permitted, never passwords.
In /etc/ssh/sshd_config,
In /etc/pam.d/sshd,
@include comon-auth
must be disabled because it includes pam_unix, which I don't want to use. Then you needpam_permit
to make authentication successful for users without authenticator (for whichpam_google_authenticator
returns ignore rather than pass).This still doesn't let root login with an ssh key; sshd logs
This is discussed at Google Authenticator PAM on SSH blocks root login without 2FA .
Having gotten this working as above, I think it's actually nicer to enforce 2FA for certain groups using the SSH config as @zoredache suggested. This easily allows you to whitelist certain IPs as not requiring 2FA also. In this case, sshd_config says for example
and /etc/pam.d/ssh says