How-To-Secure-A-Linux-Server icon indicating copy to clipboard operation
How-To-Secure-A-Linux-Server copied to clipboard

Published 20 hours ago verified publisher icon imthenachoman

2FA/MFA for SSH does not work as described

Open ghost opened this issue 4 years ago • 6 comments

I followed the instructions step by step and it did not work for me at the beginning.

My solution how it works for me: In the file /etc/ssh/sshd_config I had to add AuthenticationMethods publickey,keyboard-interactive

And I removed the nullok in the file /etc/pam.d/sshd. But I don't know if this is necessary.

ghost avatar Oct 16 '21 05:10 ghost

Humm. What distribution are you on? I do not recall having this issue.

imthenachoman avatar Jan 16 '22 20:01 imthenachoman

In my case the 2FA doesn't work. SSH just skips that part entirely.

Basically, I type in ssh user@host, I enter my password and it drops me into the shell instantly without asking me for a 2FA code. The suggestions by @B1ack3ye don't help in my case. My /etc/ssh/sshd_config is the exact same as described in the README and I also added that line into the PAM config. Is it maybe because the request comes from the inside of the network?

Distro: Ubuntu 22.04 (Desktop version, inside VM)

Mondei1 avatar May 06 '22 18:05 Mondei1

Same. The configurations allow me to connect without 2FA. If I add the line AuthenticationMethods publickey,keyboard-interactive then the issue is that the 2FA code does not work, the code is right, I left the flexible settings on the authenticator, but codes don't work.

igormuba avatar Jul 05 '22 14:07 igormuba

As stated in the guide, the steps don't set up MFA to work with public key authentication.

However, the guide states that in the 'documentation' it should be specified, this is not the case: there is no information about setting up 2FA/MFA with public key authentication, neither on the repo nor in the manual.

My opinion is that, since we're setting up SSH to only use public key authentication, this setup should a) be provided as alternative steps, or b) not provided.

AngeloThys avatar Apr 23 '24 19:04 AngeloThys

Steps For Public Key + TOTP MFA

Modify PAM's SSH configuration file to enable MFA

Add the following line to /etc/pam.d/sshd:

auth required pam_google_authenticator.so nullok

This line states that MFA is required for SSH login, unless MFA has not been set up yet for the user.

Comment out the following lines in /etc/pam.d/sshd:

# We only want PAM to handle MFA, not password auth
# Standard Un*x authentication.
# @include common-auth

# As stated before, PAM will not handle password auth
# Standard Un*x password updating.
# @include common-password

Modify sshd_config to enable MFA

Add the following line to /etc/ssh/sshd_config:

# Explicitly set public key authentication
PubkeyAuthentication yes

# Activate keyboard authentication to be able to enter our TOTP
KbdInteractiveAuthentication yes

# Set authentication methods
AuthenticationMethods publickey,keyboard-interactive:pam

# Activate PAM to be able to use google auth pam module
UsePAM yes

Restart the SSH service

sudo systemctl restart sshd

This configuration will require us to have a private key, and a TOTP MFA code.

AngeloThys avatar Apr 24 '24 09:04 AngeloThys