Multifactor authentication troubles
Darren Tucker
dtucker at zip.com.au
Sun Jul 24 08:53:25 AEST 2016
On Sat, Jul 23, 2016 at 5:50 AM, James Murphy
<james.murphy.debian at gmail.com> wrote:
> I'm writing a PAM module to do authentication through Signal (as in Open
> Whisper Systems) [1]. I would like to be able to offer
> (Public key AND Signal) or (Password AND Signal)
>
> for authentication. This suggests setting AuthenticationMethods to
> publickey,keyboard-interactive:pam password,keyboard-interactive:pam
>
> However, when PAM is enabled "password" means "show password prompt,
> then do PAM", which is a problem because my PAM does Signal auth, not
> password auth,
The PAM conversation is whatever you configure the stack to be, not
just one of password or Signal. For example you could have this in
your PAM ssh config:
auth required pam_unix.so
auth requred pam_signal.so
and as long as you're using SSH Protocol 2, it should allow multiple
conversations in a single call to pam_authenticate. That should get
you the "password then Signal" authentication via only
keyboard-interactive.
[...]
> Or another solution would be to allow multiple different PAM modules to
> be called instead of requiring it all to be lumped into /etc/pam.d/sshd.
There's an open enhancement request for this:
https://bugzilla.mindrot.org/show_bug.cgi?id=2246
> Then one could specify something like
>
> PAMFiles /etc/pam.d/sshd*
> AuthenticationMethods
> keyboard-interactive:pam:sshd-pass,keyboard-interactive:pam:sshd-signal
You can get this behaviour by putting both auth modules in the ssh
stack config as described above and that should work with the current
production code.
Getting (Public key AND Signal) or (Password AND Signal) to work is
trickier. I can imagine 2 ways to do it, both of which require
changes not in the current production code.
1) Use the per-auth-type PAM configs as per
https://bugzilla.mindrot.org/show_bug.cgi?id=2246.
2) Configure the ssh-passwd stack to have just pam_unix.so and the
ssh-kbdint stack to have just pam_signal.so.
3) Put "AuthenticationMethods password,keyboard-interactive
publickey,keyboard-interactive" into sshd_config.
sshd should offer you either of publickey or password first then
proceed to keyboard-interactive.
OR (and this one is fuzzier)
a) Use "expose authentication information to PAM" as per
https://bugzilla.mindrot.org/show_bug.cgi?id=2408
b) Put "AuthenticationMethods "publickey,keyboard-interactive
keyboard-interactive" in sshd_config
c) Put both pam_unix.so and pam_signal.so in the PAM config and have
it somehow check for the indication that pubkey has been successful
and if found, skip pam_unix somehow. I don't know of a way to do that
offhand though.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list