search

google / google-authenticator-libpam

Apache License 2.0
1.76k stars 281 forks source link

otp code isnt requested when logging in with rsa key #188

Closed GGEZLOLLLLLLLLLLLLLLLLXD closed 3 years ago

GGEZLOLLLLLLLLLLLLLLLLXD commented 3 years ago

A verification code isn't prompted if logging in with a key using ssh -i minecraft-server-key minecraft@raspberrypi, skipping straight to the command line prompt. I don't key based login to skip the authentication process as the keyfile and passphrase may be stolen.

/var/log/auth.log (minecraft is a user that I host servers on)

Oct 17 15:26:21 raspberrypi systemd-logind[429]: Removed session 170.
Oct 17 15:26:22 raspberrypi sshd[11494]: Accepted publickey for minecraft from [ip] port 52823 ssh2: RSA SHA256:[hash]
Oct 17 15:26:22 raspberrypi sshd[11494]: pam_unix(sshd:session): session opened for user minecraft by (uid=0)
Oct 17 15:26:22 raspberrypi systemd-logind[429]: New session 171 of user minecraft.

/etc/pam.d/sshd

# PAM configuration for the Secure Shell service
@include common-auth
account    required     pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
@include common-session
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
session    required     pam_env.so # [1]
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
@include common-password
auth required pam_google_authenticator.so nullok echo_verification_code noskewadj

/etc/sshd/sshd_config

ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd no
ClientAliveInterval 240
ClientAliveCountMax 3
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
ThomasHabets commented 3 years ago

This is an OpenSSH config question. See the option https://man.openbsd.org/sshd_config#AuthenticationMethods

But I'm not aware of a way to make PAM not ask for password, only OTP, when key is correct. If you're fine with OTP+key only, then that's no problem.

GGEZLOLLLLLLLLLLLLLLLLXD commented 3 years ago

Are per-user pam requirements a thing? Then I could write a bash script or something so users can switch between the two

ThomasHabets commented 3 years ago

Kinda yes. You could do something like:

auth [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/users-allowed-to-skip-otp.txt
auth required pam_google_authenticator.so [...]

Or something like that. The "1" is "skip next 1 lines".

Maybe that answers your question? I'm not quite sure what you're trying to do.

GGEZLOLLLLLLLLLLLLLLLLXD commented 3 years ago

I'm trying to make it so that key logins and password logins both require the extra otp code.

ThomasHabets commented 3 years ago

@GGEZLOLLLLLLLLLLLLLLLLXD but also not require a password when a key was used, right?

Sounds like you'd want a PAM module that can check if a key was used to log in thus far, and then use that in your PAM config to skip pam_unix.

Maybe this info is in SSH_USER_AUTH if ExposeAuthInfo is enabled. Hopefully that's set before calling PAM.

But this would be a question for PAM and OpenSSH. I don't think it should be baked into this GA PAM module, since that would prevent reuse with other modules.