Ask for a second factor (OTP) even if username is not valid

[AloisHofstaetter]

Hi,

I am playing around with Debian 10, OpenSSH and Google Authenticator PAM module. So far so good. Almost everything works as expected. I am using password and OTP. PAM is configured to ask for OTP even if the password is not valid. Now I found out SSHD is not going to ask for OTP if the username is not valid. That is useful for intruders, to guess usernames, but absolutely not what i want.

I thought it would be a good idea, if the system behaves the same, and ask for OTP, no mater if the password is valid or not. Am I wrong? Is there a way to ask for OTP even if the user is not valid?

Thanks for your answers.

[ThomasHabets]

Do the logs imply that sshd calls PAM at all for nonexisting users?

(I'm not sure)

[davama]

I believe that is the behavior. At least thats what i get

/usr/bin/ssh -l monkey -4 server                                              
Password:                                                                       
Your secret token: 816474                                                       
Password:                                                                       
Your secret token: 19287443                                                     
Received disconnect from 10.X.x.x port 22:2: Too many authentication failure
s                                                                               
Disconnected from 10.X.x.x port 22  

There is no “monkey” username...

[AloisHofstaetter]

Tanks so far. @davama would you please share your anonymized ssh_config and pam file with me.

[davama]

Only added this line to pam /etc/pam.d/sshd

auth       required /usr/local/lib/security/pam_google_authenticator.so echo_verification_code [authtok_prompt=Your secret token: ]

Dont think my whole sshd config is relevant. All you need for password & OTP auth is:

ChallengeResponseAuthentication yes

[AloisHofstaetter]

Doesn't work for me

[uwedisch]

I have not tested this, but the nullok module option for pam_google_authenticator.so should be the reason.

[hakostra]

I keep this issue "warm". I followed the Ubuntu guide on setting up TOTP 2FA SSH authentication: https://ubuntu.com/tutorials/configure-ssh-2fa#1-overview

Specifically I added the line auth required pam_google_authenticator.so at the beginning of /etc/pam.d/sshd, in that way it will ask for the verification code before the regular password, and because the pam_google_authenticator.so is required and not requisite, it will always continue and prompt for password even if the verification code is incorrect. In this way you cannot brute-force or guess the password without the correct 2FA token.

A correct login sequence then looks like:

$ ssh validuser@hostname
Verification code: 
Password: 
Last login: Fri Oct 21 10:09:45 2022 from

And if either the TOTP and/or the password is wrong, both are re-prompted without giving hints towards which of them are incorrect. So far so good.

However, if I try to login with a user that is not existing on the system, then there is no "Verification code" prompt, just the password prompt. This can be exploited to extract information about the usernames on the system. Maybe not a very big deal, but nevertheless slightly annoying. Such a failed attempt looks like:

$ ssh banana@hostname
Password: 
Password:

if the user banana does not exist.

Is it possible to configure google-authenticator such that it always prompts for a verification code, even if the username is absent or otherwise incorrectly configured (e.g. missing .google_authenticator file)? The login in this case should obviously always fail...