chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
Damien Miller
djm at mindrot.org
Wed Dec 24 07:40:36 EST 2014
On Tue, 23 Dec 2014, Dmt Ops wrote:
>
> @ client
>
> debug1: Authentications that can continue: publickey
Server offers the first mandatory authentication method
> debug1: Trying private key: /usr/local/etc/ssh/ssh.CLIENT.ed25519
> debug2: we sent a publickey packet, wait for reply
> Authenticated with partial success.
Client successfully completes pubkey
> debug1: Authentications that can continue: keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
Server offers the next mandatory authentication method
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Verification code:
> debug1: Authentications that can continue: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
Client is not successful at kdb-int authentication.
> @ server, level 'DEBUG2'
>
> disabling now
> Dec 23 07:05:21 server sshd[23109]: debug2: input_userauth_request:
> setting up authctxt for root [preauth]
> Dec 23 07:05:21 server sshd[23109]: debug1: authentication methods list
> 0: publickey,keyboard-interactive:pam [preauth]
Server is configured with multiple authentication
> [preauth]
> Dec 23 07:05:21 server sshd[23109]: debug2: input_userauth_request: try
> method publickey [preauth]
client attempts pubkey
> Dec 23 07:05:21 server sshd[23109]: Partial publickey for root from
> 2001:xxx:xxxx:xxx::107 port 48866 ssh2: ED25519
> yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy
> Dec 23 07:05:21 server sshd[23109]: debug2: userauth_pubkey:
> authenticated 1 pkalg ssh-ed25519 [preauth]
Client succeeds pubkey
> Dec 23 07:05:21 server sshd[23109]: debug1: userauth-request for user
> root service ssh-connection method keyboard-interactive [preauth]
> Dec 23 07:05:21 server sshd[23109]: debug1: attempt 2 failures 1
> [preauth]
> Dec 23 07:05:21 server sshd[23109]: debug2: input_userauth_request: try
> method keyboard-interactive [preauth]
> Dec 23 07:05:21 server sshd[23109]: debug1: keyboard-interactive devs
> [preauth]
> Dec 23 07:05:21 server sshd[23109]: debug1: auth2_challenge: user=root
> devs= [preauth]
> Dec 23 07:05:21 server sshd[23109]: debug1: kbdint_alloc: devices 'pam'
> [preauth]
> Dec 23 07:05:21 server sshd[23109]: debug2: auth2_challenge_start:
> devices pam [preauth]
> Dec 23 07:05:21 server sshd[23109]: debug2: kbdint_next_device: devices
> <empty> [preauth]
> Dec 23 07:05:21 server sshd[23109]: debug1: auth2_challenge_start:
> trying authentication method 'pam' [preauth]
> Dec 23 07:05:21 server sshd[23109]: Postponed keyboard-interactive for
> root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2: ED25519
> yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy [preauth]
server sends the password and verification code prompts to the client
> Dec 23 07:05:27 server sshd[23109]: debug2: PAM: sshpam_respond
> entering, 1 responses
> Dec 23 07:05:27 server sshd[23109]: Postponed keyboard-interactive/pam
> for root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2 [preauth]
> Dec 23 07:05:34 server sshd[23109]: debug2: PAM: sshpam_respond
> entering, 1 responses
> Dec 23 07:05:34 server sshd(pam_google_authenticator)[23111]: Invalid
> verification code
Client replies with credentials that are rejected by the PAM stack.
Have you got keyboard-interactive working on its own with Google
authenticator? It seems like a good first step...
Also, if you provide any further logs then please use debug3 (ssh -vvv /
sshd -ddd).
-d
More information about the openssh-unix-dev
mailing list