search

imthenachoman / How-To-Secure-A-Linux-Server

An evolving how-to guide for securing a Linux server.
Creative Commons Attribution Share Alike 4.0 International
17.09k stars 1.08k forks source link

2FA/MFA for SSH does not work as described #74

Open B1ack3ye opened 2 years ago

B1ack3ye commented 2 years ago

I followed the instructions step by step and it did not work for me at the beginning.

My solution how it works for me: In the file /etc/ssh/sshd_config I had to add AuthenticationMethods publickey,keyboard-interactive

And I removed the nullok in the file /etc/pam.d/sshd. But I don't know if this is necessary.

imthenachoman commented 2 years ago

Humm. What distribution are you on? I do not recall having this issue.

Mondei1 commented 2 years ago

In my case the 2FA doesn't work. SSH just skips that part entirely.

Basically, I type in ssh user@host, I enter my password and it drops me into the shell instantly without asking me for a 2FA code. The suggestions by @B1ack3ye don't help in my case. My /etc/ssh/sshd_config is the exact same as described in the README and I also added that line into the PAM config. Is it maybe because the request comes from the inside of the network?

Distro: Ubuntu 22.04 (Desktop version, inside VM)

igormuba commented 2 years ago

Same. The configurations allow me to connect without 2FA. If I add the line AuthenticationMethods publickey,keyboard-interactive then the issue is that the 2FA code does not work, the code is right, I left the flexible settings on the authenticator, but codes don't work.

AngeloThys commented 3 months ago

As stated in the guide, the steps don't set up MFA to work with public key authentication.

However, the guide states that in the 'documentation' it should be specified, this is not the case: there is no information about setting up 2FA/MFA with public key authentication, neither on the repo nor in the manual.

My opinion is that, since we're setting up SSH to only use public key authentication, this setup should a) be provided as alternative steps, or b) not provided.

AngeloThys commented 3 months ago

Steps For Public Key + TOTP MFA

Modify PAM's SSH configuration file to enable MFA

Add the following line to /etc/pam.d/sshd:

auth required pam_google_authenticator.so nullok

This line states that MFA is required for SSH login, unless MFA has not been set up yet for the user.

Comment out the following lines in /etc/pam.d/sshd:

# We only want PAM to handle MFA, not password auth
# Standard Un*x authentication.
# @include common-auth

# As stated before, PAM will not handle password auth
# Standard Un*x password updating.
# @include common-password

Modify sshd_config to enable MFA

Add the following line to /etc/ssh/sshd_config:

# Explicitly set public key authentication
PubkeyAuthentication yes

# Activate keyboard authentication to be able to enter our TOTP
KbdInteractiveAuthentication yes

# Set authentication methods
AuthenticationMethods publickey,keyboard-interactive:pam

# Activate PAM to be able to use google auth pam module
UsePAM yes

Restart the SSH service

sudo systemctl restart sshd

This configuration will require us to have a private key, and a TOTP MFA code.