On Tue, 03/01/22, 2022 at 09:45:04AM +1100, Damien Miller wrote: > It sounds like you have already verified that your PAM configuration was > not tampered with, so that removes one possibility. Reviewing the Ubuntu > PAM configurations and the patches they apply to sshd seem to be prudent > next steps. Found the culprit: me. I was stupid enough to install and configure for libpam-google-auth, given a company mandate to 2FA all connections with admin access, where it wasn't in scope to add 2FA to all client accounts. If there's existing documentation anywhere on how dangerous this is, it's not in libpam-google-auth's own docs, nor in the recipes scattered across the net. I've found no way yet to tweak it to be safe that I can be sure of, short of running a separate sshd on another port for it. Has there been consideration of adding 2FA to OpenSSH that doesn't require enabling PAM? Public keys and IP restrictions seem enough to me. Yet my corporate overlord is required by their insurance firm to use 2FA. To satisfy that demand, I compromised security with the badly documented libpam-google-auth -- as if a firm that can't even secure their flagship browser should be trusted on security. Stupid me, Whit _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
