Multifactor authentication troubles
Vincent Brillault
vincent.brillault at cern.ch
Wed Jul 27 16:49:29 AEST 2016
Dear Darren, James,
> 1) Use the per-auth-type PAM configs as per
> https://bugzilla.mindrot.org/show_bug.cgi?id=2246.
> 2) Configure the ssh-passwd stack to have just pam_unix.so and the
> ssh-kbdint stack to have just pam_signal.so.
> 3) Put "AuthenticationMethods password,keyboard-interactive
> publickey,keyboard-interactive" into sshd_config.
>
> sshd should offer you either of publickey or password first then
> proceed to keyboard-interactive.
One downside of such an approach is that "password", as far as I
understand, has less feature than "keyboard-interactive:pam". For
example, it does not support "password change": if you are want to be
able to force your users to change their password on the next successful
logins, that won't work with "password".
> OR (and this one is fuzzier)
What do you mean by "fuzzier"? It looks simpler to me ;)
Full disclosure: I'm one of the author of that patch
> a) Use "expose authentication information to PAM" as per
> https://bugzilla.mindrot.org/show_bug.cgi?id=2408
> b) Put "AuthenticationMethods "publickey,keyboard-interactive
> keyboard-interactive" in sshd_config
> c) Put both pam_unix.so and pam_signal.so in the PAM config and have
> it somehow check for the indication that pubkey has been successful
> and if found, skip pam_unix somehow. I don't know of a way to do that
> offhand though.
You need a small pam module for that, for example
https://github.com/CERN-CERT/pam_2fa/blob/master/pam_ssh_user_auth.c
For more details on how to use that patch:
https://cern-cert.github.io/pam_2fa/#using-a-smart-pam-configuration
(The rest of that page explains why we think we need that patch)
A small additional benefit of that patch is that pam will have more
information on what made the first factor succeed and can be then used
to learn "who connected as root" (shared account) and match this
information to the corresponding 2nd factor (valid for that particular
account and not simply any user allowed to login with that account).
Cheers,
Vincent
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160727/851fe619/attachment.bin>
More information about the openssh-unix-dev
mailing list