![]() This easily allows you to whitelist certain IPs as not requiring 2FA also. Having gotten this working as above, I think it's actually nicer to enforce 2FA for certain groups using the SSH config as suggested. This is discussed at Google Authenticator PAM on SSH blocks root login without 2FA. This still doesn't let root login with an ssh key sshd logs sshd: fatal: Internal error: PAM auth succeeded when it should have failed Then you need pam_permit to make authentication successful for users without authenticator (for which pam_google_authenticator returns ignore rather than pass). # Require authenticator, if not configured then allowĪuth required comon-auth must be disabled because it includes pam_unix, which I don't want to use. In /etc/pam.d/sshd, # Standard Un*x common-auth Some users have authenticator enabled and some don't, and only SSH logins with public keys are permitted, never passwords. I've also tried various combinations of auth required and auth sufficient before and after common-auth but they all result in users without authenticator being asked for a password and sometimes users WITH authenticator also being asked for a password.ĭoes anyone have a recipe to make this work? Is pam_permit is needed to set up the fallback case? In this case, users without an authenticator setup get rejected with the following debug Aug 05 15:11:18 sshd(pam_google_authenticator): debug: start of google_authenticator for ""Īug 05 15:11:18 sshd(pam_google_authenticator): debug: end of google_authenticator for "" Result: The return value should be ignored by PAM dispatchĪug 05 15:11:18 sshd: error: PAM: Permission denied for from ![]() In /etc/pam.d/sshd I've tried (like this Trying to get SSH with public key (no password) + google authenticator working on Ubuntu 14.04.1): common-authĪuth required pam_google_authenticator.so debug nullok Depending on what I use, users are either prompted for a password (they don't have one), or not allowed in at all. google_authenticator file are still logged in. I haven't been able to work out the correct PAM config so that users without a. I've install libpam-google-authenticator and configured /etc/ssh/sshd_config with: PasswordAuthentication noĪuthenticationMethods publickey,keyboard-interactive My problem is that no matter what I put in the PAM config, users without authenticator enabled are never logged straight in, but always asked for a password. I'm running Debian buster, and I've also tried libpam-google-authenticator from bullseye. Everybody uses ssh public keys, and nobody has a password. Not all users need authenticator enabled. This code helps make sure you can access that email address or phone number.I'm trying to enable 2FA with ssh using libpam-google-authenticator.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |