chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
Dmt Ops
opsdmt at gmail.com
Thu Dec 18 12:55:49 EST 2014
I have sshd server
sshd -V
...
OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
...
running on linux/64
with
cat sshd_config
...
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
HostbasedAuthentication no
RhostsRSAAuthentication no
RSAAuthentication no
UseLogin no
PermitEmptyPasswords no
UsePrivilegeSeparation yes
...
I can ssh in with pubkey auth.
I want to ADD a 2nd factor authentication step; specifically Google
Authenticator
I installed
pam-google-authenticator
package.
At shell, I exec
google-authenticator
and create the key
I edit
vi /etc/pam.d/sshd
...
+ auth required pam_google_authenticator.so
...
and
vi /etc/ssh/sshd_config
...
- ChallengeResponseAuthentication no
+ ChallengeResponseAuthentication yes
+ KbdInteractiveAuthentication yes
...
and restart the daemon
systemctl restart sshd
...
Dec 7 14:05:59 server systemd[1]: Stopping OpenSSH
Daemon...
Dec 7 14:05:59 server sshd[4821]: Received signal 15;
terminating.
Dec 7 14:05:59 server systemd[1]: Starting OpenSSH
Daemon...
Dec 7 14:05:59 server systemd[1]: Started OpenSSH Daemon.
Dec 7 14:05:59 server sshd[5112]: Server listening on
127.0.0.1 port 22.
Dec 7 14:05:59 server sshd[5112]: Server listening on
10.10.16.92 port 22.
...
In the client's ssh_config I added
...
Host server.DOMAIN.com
User root
ChallengeResponseAuthentication yes
PreferredAuthentications publickey,keyboard-interactive
ForwardX11 yes
ForwardX11Trusted yes
Compression no
...
IIUC, now, when I login from the client to the server, I should ALWAYS be
prompted for the Google Authenticator code after a successful pubkey auth.
But when I ssh in to the machine, I still get only the pubkey auth -- never
get asked for the GA code, and I can login.
ssh -v -l root server
sshr_server -4v
OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 89: Applying options for
*.DOMAIN.com
debug1: /etc/ssh/ssh_config line 147: Applying options for
*
debug1: Connecting to server.DOMAIN.com [10.10.16.92] port
22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /etc/ssh/ssh.desktop.rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: Remote protocol version 2.0, remote software
version OpenSSH_6.7
debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305 at openssh.com
<implicit> none
debug1: kex: client->server chacha20-poly1305 at openssh.com
<implicit> none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ED25519 2f:...
debug1: Host 'server.DOMAIN.com' is known and matches the
ED25519 host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /etc/ssh/ssh.desktop.rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to server.DOMAIN.com ([10.10.16.92]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication
spoofing.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env DISPLAY = :0
I'm not sure where to look for WHY this isn't working.
How do I get the 2nd-factor step turned on? config change? add'l packages
required? etc?
Dan
More information about the openssh-unix-dev
mailing list