Re: Multifactor authentication troubles

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Dear Darren, James,

> 1) Use the per-auth-type PAM configs as per
> https://bugzilla.mindrot.org/show_bug.cgi?id=2246.
> 2) Configure the ssh-passwd stack to have just pam_unix.so and the
> ssh-kbdint stack to have just pam_signal.so.
> 3) Put "AuthenticationMethods password,keyboard-interactive
> publickey,keyboard-interactive" into sshd_config.
> 
> sshd should offer you either of publickey or password first then
> proceed to keyboard-interactive.

One downside of such an approach is that "password", as far as I
understand, has less feature than "keyboard-interactive:pam". For
example, it does not support "password change": if you are want to be
able to force your users to change their password on the next successful
logins, that won't work with "password".

> OR (and this one is fuzzier)

What do you mean by "fuzzier"? It looks simpler to me ;)
Full disclosure: I'm one of the author of that patch

> a) Use "expose authentication information to PAM" as per
> https://bugzilla.mindrot.org/show_bug.cgi?id=2408
> b) Put "AuthenticationMethods "publickey,keyboard-interactive
> keyboard-interactive" in sshd_config
> c) Put both pam_unix.so and pam_signal.so in the PAM config and have
> it somehow check for the indication that pubkey has been successful
> and if found, skip pam_unix somehow.  I don't know of a way to do that
> offhand though.

You need a small pam module for that, for example
https://github.com/CERN-CERT/pam_2fa/blob/master/pam_ssh_user_auth.c

For more details on how to use that patch:
https://cern-cert.github.io/pam_2fa/#using-a-smart-pam-configuration
(The rest of that page explains why we think we need that patch)

A small additional benefit of that patch is that pam will have more
information on what made the first factor succeed and can be then used
to learn "who connected as root" (shared account) and match this
information to the corresponding 2nd factor (valid for that particular
account and not simply any user allowed to login with that account).

Cheers,
Vincent

Attachment: signature.asc
Description: Digital signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux