| View previous topic :: View next topic |
| Author |
Message |
mole
Tux's lil' helper
Joined: 07 Nov 2009
Posts: 81
|
 Posted: Mon Aug 15, 2022 1:09 pm Post subject: Google 2FA with SSH keys [SOLVED] |
 |
|
I've set up Google Authenticator as the wiki, to increase SSH security. The code is only prompted for logins with a password, which I don't use, and I'm looking for a way to use 2FA with SSH key logins.
It's similar with sudo - if a password is required, the 2FA code is needed, but not if NOPASSWD is used.
There's posts online saying this is possible on Ubuntu and Debian, but their instructions aren't materially different from the Gentoo wiki.
Are there any further steps I can take to us 2FA without a password? Maybe compiling Google authenticator from source?
There's no USE flags for google_authenticator, I've tried enabling the SSH security-key and the PAMbase pam_ssh USE flags but there's no change
Last edited by mole on Mon Aug 15, 2022 7:59 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21918
|
| Posted: Mon Aug 15, 2022 3:26 pm Post subject: |
|
|
| When you follow steps from a Wiki, please link to it so we can readily review those steps. In this case, I will speculate that you used https://wiki.gentoo.org/wiki/Google_Authenticator, which is the least popular Wiki hit when searching 2FA. Please show us the current state of each of the files that the Wiki directed you to change. As I read the proposed sample, you shouldn't be able to use password login at all, but you mentioned that the code is prompted in that case, which suggests you are not running the same configuration that the Wiki suggested. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3203
|
| Posted: Mon Aug 15, 2022 5:58 pm Post subject: |
|
|
| Quote: | | I've set up Google Authenticator (...) to increase SSH security |
Well... That's the first problem right there, considering that the days of "Don't be evil" are long gone.
Now, if you really want to go down this path, sure, I won't hold you back. But putting all your eggs in one basket is not necessarily a bad thing.
A single basket is something you can actually guard. |
|
| Back to top |
|
|
mole
Tux's lil' helper
Joined: 07 Nov 2009
Posts: 81
|
| Posted: Mon Aug 15, 2022 6:32 pm Post subject: |
|
|
Yes, I followed that wiki for google authenticator rather than a 2FA one, as well as looking at Ubuntu and Debian forum posts.
The 2FA code was requested (and successful) for password logins, but it was not requested at all for logins where a public key authorisation had been set up - the login was successful, but without the 2FA code being requested.
I reset the USE flags for pambase and openssh, also tried enable-2fa-totp from another wiki but it didn't work. The behaviour changed to keys being ignored, although I could log in with the Google 2FA code and the user password.
Then while looking in the /etc/pam.d/ directory I noticed the /etc/pam.d/system-remote-login file. I tried adding
| Code: | | auth sufficient pam_google_authenticator.so |
to that file, and it solved the problem - now the 2FA code is required, and the key is used if set up for that user.
I can't find any mention of the /etc/pam.d/system-remote-login file on any Gentoo wiki, but it's working now so all good.
| Quote: | | Well... That's the first problem right there, considering that the days of "Don't be evil" are long gone. |
I'm not a big fan of Google tbh, but can't see how adding their 2FA is going to do any harm? I've setup fail2ban as well as there's so many login attempts in the logs. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3203
|
| Posted: Mon Aug 15, 2022 9:00 pm Post subject: |
|
|
| Quote: | | I'm not a big fan of Google tbh, but can't see how adding their 2FA is going to do any harm? I've setup fail2ban as well as there's so many login attempts in the logs. |
I don't know how it works.
Can they track it? It wouldn't be worth a lot if it wasn't interactive, so I suppose they can. They already know more than I'd like, and that's yet another piece of data handed over to them.
Does it enable them to deny you access to your machine? YES: you lose a bit of safety; NO: it does not really improve your security.
What other external services does it require to work? Do you remember facebook removing itself from the internet after that BGP mishap? I've seen a pretty bad netsplit in Europe too. Someone dug up an optic fiber (cutting it in the process) and the network exploded into East vs West... The other wire couldn't handle all the traffic by itself. Turns out the "net" part is a lie, "interpatchcord" would be a more accurate name.
Accidents happen, while it's impossible to be completely immune to other people's mistakes, I'd rather have fewer critical dependencies than more of them.
Anyway, forcing public key authentication on a non-root user does a pretty good job keeping intruders away. They need a non-obvious username AND the matching private key. I wonder if ssh can be configured to require user's password on top of that, but even it doesn't, your login user can have basically no rights other than su/sudo, at which point you need a key to get inside and then a password to actually do anything. Oh, and you can trigger privilege escalation (asking for password) with sshd's force-command to prevent any access at all until you grab the steering wheel. Just thinking out loud... My 30 attempts a day does not concern me nearly enough to actually implement something like that on my machines. Bots tend to just give up after the server does not ask for password.
BTW, Firewall is an option too, whether with a static IP or using knockd. Building a VPN for ssh would be overengineering it, but if you are going to use a VPN anyway (some people do have perfectly valid reasons to do that), you can use it as the first line of defense - assuming you don't use the same credentials for vpn and ssh. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21918
|
| Posted: Mon Aug 15, 2022 9:42 pm Post subject: |
|
|
Although I have not reviewed the code to confirm, my understanding is that this particular Google project does not require an external server. It works solely from files on disk, and is provided with the hope that people will make their systems more secure.
Yes, modern sshd can be configured to require multiple factors. See man sshd_config section AuthenticationMethods. |
|
| Back to top |
|
|
mole
Tux's lil' helper
Joined: 07 Nov 2009
Posts: 81
|
| Posted: Mon Aug 15, 2022 10:31 pm Post subject: |
|
|
Yeah I'm pretty sure the Google Authenticator app doesn’t connect to any Google account and doesn't sync codes. It works with the phone offline.
| Quote: | | forcing public key authentication on a non-root user does a pretty good job keeping intruders away |
I'm doing that, but if anyone gains access to any of my other machines they'll be able to access the server - which is more important. At least they'll need my mobile as well with 2FA..... |
|
| Back to top |
|
|
mole
Tux's lil' helper
Joined: 07 Nov 2009
Posts: 81
|
| Posted: Tue Aug 16, 2022 8:08 am Post subject: |
|
|
In case this helps anyone who finds this thread in future, to bypass 2FA for SSH logins from specific IP addresses:
Create the file /etc/security/access-local.conf containing
| Code: |
+ : ALL : 192.168.211.0/24
- : ALL : ALL
|
and add
| Code: | | auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-local.conf |
as the first line of /etc/pam.d/sshd (it needs to be before the line containing pam_google_authenticator.so)
The line from the Arch wiki | Code: | | auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf |
wouldn't work for me |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
