Closed MartinMargenta42 closed 3 years ago
ThomasHabets
commented
3 years ago Also your SSH uses UsePAM yes?
But I think the problem here is that nullok doesn't actually say access granted when config is missing. It says "I have no opinion" (PAM_IGNORE).
So you may need, in addition to your current auth required, another that says auth required pam_permit.so. Because PAM requires that at least one auth succeeds. It's not enough that none fail.
MartinMargenta42
commented
3 years ago Thank you for your description.
After confirming that UsePAM is set to yes, I added auth required pam_permit.so to the /etc/pam.d/sshd configuration. Afterwards I am able to login without the need to use a token.
The suspect thing is that after configuring the token ( google-authenticator -t -d -w 3 -r 3 -R 30) and logout from the system I am still able to login without a token.
Does this mean that after the roleout for all users I have to delete the auth required pam_permit.so and the nullok ?
ThomasHabets
commented
3 years ago hmm… no that shouldn't work. nullok should force OTP to pass if the config is present.
You can add debug and see what the logs say.
Do you not even get prompted for the OTP after it's been configured?
MartinMargenta42
commented
3 years ago Thank you for your reply.
It seemed to be a OSI Layer 8 issue because after I tried to repro the issue with another Ubuntu system the token was requested as soon as I configure google authenticator.
MartinMargenta42
commented
3 years ago Problem solved
Hello, I am confused about the option "nullok", because for me it doesn't work as expected. My understanding is that the "nullok" option allows users that have not yet generated a 2FA code to log in, while codes are required. So, it is during the rollout.
What I did is the following on my Ubuntu 20.04: I added "auth required pam_google_authenticator.so nullok" to the bottom of the /etc/pam.d/sshd and I commented "@include common-auth" out. Afterwards I edited /etc/ssh/sshd_config in order to set:
ChallengeResponseAuthentication yes PasswordAuthentication no PubkeyAuthentication yes AuthenticationMethods publickey,keyboard-interactive
After restarting the sshd service the user is not able to login to the system if he didn't generate the token before.
Maybe I missinterpreted something or didn't find the correct manual in order to find the correct description for the "nullok" option. Could someone please clarify the option for me ?