ssh 2fa/mfa
3 Apr 2022
This is how I got MFA working on an ssh daemon.
Somewhere in this first step, I was presented with an ASCII QR code, and I just took a picture of it with my phone with google authenticator.
$ su - # apt-get install libpam-google-authenticator # google-authenticator Do you want authentication tokens to be time-based (y/n) y Your new secret key is: XXXXXXXXXXXXXXXXXXXXX Your verification code is XXXXXX Your emergency scratch codes are: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX Do you want me to update your "/root/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) n If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y
I'm doing this as root, but I really want to log on as myself, not as root (because I have actually disabled ssh root logins). So I just copy the config to the home dir of the user I will be logging in as:
# cp /root/.google_authenticator /home/mwood/ # chown mwood:mwood /home/mwood/.google_authenticator
Now it's time to edit some config files.
# vim /etc/pam.d/sshd
Find this line in /etc/pam.d/sshd and comment it out:
# Standard Un*x authentication. #@include common-auth # <== this was originally not commented out
Add these two lines to the bottom of /etc/pam.d/sshd:
auth required pam_google_authenticator.so auth required pam_permit.so
Now it's time to edit /etc/ssh/sshd_config:
# vim /etc/ssh/sshd_config
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes # <== becomes yes instead of no
Add this line to the bottom of /etc/ssh/sshd_config:
AuthenticationMethods publickey,keyboard-interactive
Restart sshd
# systemctl restart sshd.service
Now try to log on again. sshd should ask you for your MFA number.