On 07/03/2022 16:14, Whit Blauvelt wrote:
Found the culprit: me. I was stupid enough to install and configure for
libpam-google-auth, given a company mandate to 2FA all connections with
admin access, where it wasn't in scope to add 2FA to all client accounts.
Could you explain a bit more what went wrong?
In order to configure 2FA (*), I do this:
PasswordAuthentication no
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive:pam
The comma means sshd requires publickey *and* PAM authentication to
complete. I can't see how this can make it any less secure than
publickey alone, which is why I'm wondering what went wrong in your case.
If you want to disable 2FA either for certain trusted users, or certain
trusted source IP addresses, you can use a Match block, e.g.
Match Address 192.168.0.0/16
AuthenticationMethods publickey
On the other hand, if you're trying to enable *password* authentication
with separate 2FA, then that's certainly much trickier to get right in
the PAM stack. I would go for public key or certificate auth instead,
with 2FA on top.
Alternatively, think about doing public key auth using ecdsa-sk keys and
a U2F token - they are very cheap. You need a fairly modern openssh at
client and server side though.
Regards,
Brian.
(*) I'm using pam_yubico, but I believe the above should apply to any
2FA challenge/response using PAM.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
