chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I have sshd server

        sshd -V
                ...
                OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
                ...

running on linux/64

with

        cat sshd_config
                ...
                PubkeyAuthentication                 yes
                PasswordAuthentication               no
                ChallengeResponseAuthentication      no
                GSSAPIAuthentication                 no
                GSSAPICleanupCredentials             no
                HostbasedAuthentication              no
                RhostsRSAAuthentication              no
                RSAAuthentication                    no

                UseLogin                             no
                PermitEmptyPasswords                 no
                UsePrivilegeSeparation               yes
                ...

I can ssh in with pubkey auth.

I want to ADD a 2nd factor authentication step; specifically Google
Authenticator

I installed

        pam-google-authenticator

package.

At shell, I exec

        google-authenticator

and create the key

I edit

        vi /etc/pam.d/sshd
                ...
        +        auth       required       pam_google_authenticator.so
                ...


and

        vi /etc/ssh/sshd_config
                ...
        -        ChallengeResponseAuthentication      no
        +        ChallengeResponseAuthentication      yes
        +        KbdInteractiveAuthentication         yes
                ...

and restart the daemon

        systemctl restart sshd
                ...
                Dec  7 14:05:59 server systemd[1]: Stopping OpenSSH
Daemon...
                Dec  7 14:05:59 server sshd[4821]: Received signal 15;
terminating.
                Dec  7 14:05:59 server systemd[1]: Starting OpenSSH
Daemon...
                Dec  7 14:05:59 server systemd[1]: Started OpenSSH Daemon.
                Dec  7 14:05:59 server sshd[5112]: Server listening on
127.0.0.1 port 22.
                Dec  7 14:05:59 server sshd[5112]: Server listening on
10.10.16.92 port 22.
                ...

In the client's ssh_config I added

        ...
        Host server.DOMAIN.com
        User                               root
        ChallengeResponseAuthentication    yes
        PreferredAuthentications           publickey,keyboard-interactive
        ForwardX11                         yes
        ForwardX11Trusted                  yes
        Compression                        no
        ...


IIUC, now, when I login from the client to the server, I should ALWAYS be
prompted for the Google Authenticator code after a successful pubkey auth.

But when I ssh in to the machine, I still get only the pubkey auth -- never
get asked for the GA code, and I can login.


        ssh -v -l root server

                sshr_server -4v
                OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
                debug1: Reading configuration data /etc/ssh/ssh_config
                debug1: /etc/ssh/ssh_config line 89: Applying options for
*.DOMAIN.com
                debug1: /etc/ssh/ssh_config line 147: Applying options for
*
                debug1: Connecting to server.DOMAIN.com [10.10.16.92] port
22.
                debug1: fd 3 clearing O_NONBLOCK
                debug1: Connection established.
                debug1: identity file /etc/ssh/ssh.desktop.rsa-cert type -1
                debug1: Enabling compatibility mode for protocol 2.0
                debug1: Local version string SSH-2.0-OpenSSH_6.7
                debug1: Remote protocol version 2.0, remote software
version OpenSSH_6.7
                debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
                debug1: SSH2_MSG_KEXINIT sent
                debug1: SSH2_MSG_KEXINIT received
                debug1: kex: server->client chacha20-poly1305@xxxxxxxxxxx
<implicit> none
                debug1: kex: client->server chacha20-poly1305@xxxxxxxxxxx
<implicit> none
                debug1: sending SSH2_MSG_KEX_ECDH_INIT
                debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
                debug1: Server host key: ED25519 2f:...
                debug1: Host 'server.DOMAIN.com' is known and matches the
ED25519 host key.
                debug1: Found key in /etc/ssh/ssh_known_hosts:1
                debug1: SSH2_MSG_NEWKEYS sent
                debug1: expecting SSH2_MSG_NEWKEYS
                debug1: SSH2_MSG_NEWKEYS received
                debug1: SSH2_MSG_SERVICE_REQUEST sent
                debug1: SSH2_MSG_SERVICE_ACCEPT received
                debug1: Authentications that can continue:
publickey,keyboard-interactive
                debug1: Next authentication method: publickey
                debug1: Offering RSA public key: /etc/ssh/ssh.desktop.rsa
                debug1: Server accepts key: pkalg ssh-rsa blen 279
                debug1: Authentication succeeded (publickey).
                Authenticated to server.DOMAIN.com ([10.10.16.92]:22).
                debug1: channel 0: new [client-session]
                debug1: Requesting no-more-sessions@xxxxxxxxxxx
                debug1: Entering interactive session.
                debug1: Requesting X11 forwarding with authentication
spoofing.
                debug1: Sending environment.
                debug1: Sending env LANG = en_US.UTF-8
                debug1: Sending env DISPLAY = :0

I'm not sure where to look for WHY this isn't working.

How do I get the 2nd-factor step turned on?  config change? add'l packages
required?  etc?

Dan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux