search

google / google-authenticator-libpam

Apache License 2.0
1.75k stars 280 forks source link

Setup for SSH (authenticator & password) | (authenticator & publickey) with grace_period and whitelisted subnet #204

Closed SSchott closed 2 years ago

SSchott commented 2 years ago

Maybe someone can give me a hand here, and maybe I found something that is not the intentional behaviour for the authenticator. I have been banging my head with this one. I am not really experienced with PAM and so on, but if I understood things correctly, I should be able to achieve this by setting in sshd_config:

UsePAM yes
PasswordAuthentication yes
AuthenticationMethods keyboard-interactive,publickey keyboard-interactive,password

In this way I force SSH to check for both authenticator and either password or publickey

and in pam.d/ssh:

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth        sufficient pam_google_authenticator.so grace_period=43200
auth        include  common-auth

where the first line whitlists my def for subnet. The sufficient allows that the other PAM auth entries don't request the password again over the SSH primary request.

This setup seems to work fine without the grace_period and without the whitelisting, but... The issues I am facing: 1) If I try to connect from within the whitelisted subnet, the authenticator is skipped, and the password is requested even when a publickey is present due to auth include common-auth. AFAIK, there is no real PAM directive for publickeys. Any way to set this up properly? 2) If I try to connect from outside the whitelisted subnet, the first time it works fine, but after the grace_period gets triggered, and if no publickey is available, the password is requested (as expected!), but any jibberish can be passed as the pass and access is granted either way. I guess the authenticator is just giving a white card to the whole PAM stack, even when "a password" is requested. Is this intended?

ThomasHabets commented 2 years ago

  1. I seem to remember there being some environment variables being set by OpenSSH about the keys. But not sure.

  2. It's expected, at least. For grace period this PAM module gives PAM_SUCCESS, satisfying sufficient. It could in theory return PAM_IGNORE, which means "I have nothing to say one way or the other about this auth attempt". But that's not true. Within grace period is actually a sign of authenticatoin. PAM_IGNORE is for things like "the user has no OTP configured" (and by default even that is PAM_AUTH_ERR, but is PAM_IGNORE if nullok is set).

In the end the thing you want to do sounds like make a PAM decision based on a pubkey. You should work with OpenSSH and PAM to have a module branch based on "was pubkey successfully used?".

Sounds like a fine use case, but not one for this project.

And I don't think anything here is working not-as-intended. Maybe there's some aspect I missed though.

Feel free to reopen if you think this could be handled better here, but otherwise I think I'll have to redirect to some PAM / OpenSSH forum

SSchott commented 2 years ago

Thanks for the reply. I will see what I can do with the other modules then.