OpenSSH two-factor authentication: key + one-time code
In the previous article, I explained how to add verification of one-time codes when logging in to my server via SSH. The article ended with the words “ if we walk by key - two-factor authentication does not work (PAM is not used) ”.
Recently, after the release of OpenSSH version 6.2, the situation has changed for the better.
+ 
')
I will consider an example of configuration: authentication by key and then by one-time code. I use Debian Jessie (testing), everything is available out of the box.
Since writing the last article, the console tool was placed next to the module, so only one new package is needed on the server:
We put Google Autenticator and some QR code scanner, for example, on the phone with Android . If you have a Windows Phone on your phone, the program is called Authenticator (thnx to Skywrtr ). If you have a phone with a different OS, then you are here .
After running this command:
The first question is whether we want time-based tokens. The answer is “y”.
In response, we get ASCII-art with such a nice QR code containing a secret key (clickable image):
Also, if you want to add data to Google Authenticator manually - the secret initialization code itself and the code for verification are output.
It also makes sense to write down 5 backup codes in a safe place in case something happens to the phone. And according to the URL, which tulza also writes, you don’t need to go - it’s just that the same QR code is prettier. You do not want to show your secret code to Google? :)
We immediately scan the QR code from the application in the phone, then answer the questions in the console.
- Save everything permanently in ~ / .google_authenticator?
- y
- Prohibit the use of one code several times? It helps to notice or even prevent a man-in-the-middle attack.
- y
- Increase the time window from about 1.5 minutes to 4 minutes?
- n (and then immediately check whether the time is exactly on the phone; however, Google Authenticator of the latest versions can synchronize time from the Internet)
- Limit the number of login attempts for a period of time?
- y
In the /etc/pam.d/sshd file in the “ auth ” group there should be only one line with the pam_google_authenticator.so module call :
I draw attention to an important point: on the one hand, you need to comment out all the lines and inclusions that add password checking to the “ auth ” group (for example, “ @ include common-auth ” above), otherwise you will be asked for the password after a one-time code. On the other hand, it must be understood that password authentication, which in most modern distributions is also done through PAM, will thus be broken. But it is not dangerous, because below, we explicitly indicate to the sshd server that the key verification is required and authorization will fail without the correct key.
Until I figured out how to do two scenarios in PAM at the same time, for example, “key + one-time code” and “password + one-time code”.
You can make one-time code not for everyone. To do this, there is a pam_access.so module that needs to be entered before pam_google_authenticator.so :
In the /etc/ssh/two-factor-skip.conf file, you can specify something like this:
In / etc / ssh / sshd_config we enable ChallengeResponse authentication, PAM and indicate that we need to verify both the key and the one-time password.
Then:
All console commands (ssh, scp, sftp) OpenSSH version 5.9p1 and, obviously, later support ChallengeResponse authentication. Older versions did not check.
Lftp versions 4.3.3 and 4.4.8 do not support. Other versions did not check.
According to the funditus
If someone can check other programs for (non) compatibility, write to me in PM - I will add here.
Recently, after the release of OpenSSH version 6.2, the situation has changed for the better.
+ ')
sshd (8): Added support for multiple authentication for SSH protocol 2 via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. It is required for authentication to complete.
sshd (8): Added support for multiple authentication methods in SSH protocol 2 via the AuthenticationMethods parameter. This parameter specifies one or more comma-delimited lists of authentication methods. Authentication requires successful completion of all methods in any of the lists.
Getting started
I will consider an example of configuration: authentication by key and then by one-time code. I use Debian Jessie (testing), everything is available out of the box.
We put the necessary software
Since writing the last article, the console tool was placed next to the module, so only one new package is needed on the server:
apt-get install libpam-google-authenticator We put Google Autenticator and some QR code scanner, for example, on the phone with Android . If you have a Windows Phone on your phone, the program is called Authenticator (thnx to Skywrtr ). If you have a phone with a different OS, then you are here .
Initialization of one-time codes
After running this command:
google-authenticator The first question is whether we want time-based tokens. The answer is “y”.
In response, we get ASCII-art with such a nice QR code containing a secret key (clickable image):
Also, if you want to add data to Google Authenticator manually - the secret initialization code itself and the code for verification are output.
It also makes sense to write down 5 backup codes in a safe place in case something happens to the phone. And according to the URL, which tulza also writes, you don’t need to go - it’s just that the same QR code is prettier. You do not want to show your secret code to Google? :)
We immediately scan the QR code from the application in the phone, then answer the questions in the console.
- Save everything permanently in ~ / .google_authenticator?
- y
- Prohibit the use of one code several times? It helps to notice or even prevent a man-in-the-middle attack.
- y
- Increase the time window from about 1.5 minutes to 4 minutes?
- n (and then immediately check whether the time is exactly on the phone; however, Google Authenticator of the latest versions can synchronize time from the Internet)
- Limit the number of login attempts for a period of time?
- y
PAM Setup
In the /etc/pam.d/sshd file in the “ auth ” group there should be only one line with the pam_google_authenticator.so module call :
--- /etc/pam.d/sshd.orig 2013-05-22 05:05:49.000000000 +0400 +++ /etc/pam.d/sshd 2013-09-04 16:36:43.141649326 +0400 @@ -1,7 +1,9 @@ # PAM configuration for the Secure Shell service +auth required pam_google_authenticator.so + # Standard Un*x authentication. -@include common-auth +#@include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so I draw attention to an important point: on the one hand, you need to comment out all the lines and inclusions that add password checking to the “ auth ” group (for example, “ @ include common-auth ” above), otherwise you will be asked for the password after a one-time code. On the other hand, it must be understood that password authentication, which in most modern distributions is also done through PAM, will thus be broken. But it is not dangerous, because below, we explicitly indicate to the sshd server that the key verification is required and authorization will fail without the correct key.
Until I figured out how to do two scenarios in PAM at the same time, for example, “key + one-time code” and “password + one-time code”.
PAM setup, extra buns
You can make one-time code not for everyone. To do this, there is a pam_access.so module that needs to be entered before pam_google_authenticator.so :
auth sufficient pam_access.so accessfile=/etc/ssh/two-factor-skip.conf auth required pam_google_authenticator.so In the /etc/ssh/two-factor-skip.conf file, you can specify something like this:
# + : ALL : 192.168.1.0/24 # + : oldskool : ALL # - : ALL : ALL Sshd setup
In / etc / ssh / sshd_config we enable ChallengeResponse authentication, PAM and indicate that we need to verify both the key and the one-time password.
ChallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive Then:
service ssh reload Check
Compatibility
All console commands (ssh, scp, sftp) OpenSSH version 5.9p1 and, obviously, later support ChallengeResponse authentication. Older versions did not check.
Lftp versions 4.3.3 and 4.4.8 do not support. Other versions did not check.
According to the funditus
Irssi Conectbot on Android - supports.
SecureCRT - supports, but in the connection settings you need to install the Keyboard-interactive and Publickey.
Putty - supports.
If someone can check other programs for (non) compatibility, write to me in PM - I will add here.
Links
Source: https://habr.com/ru/post/186376/
All Articles