Ubuntu: Two factor authentication on ssh server with Google's Authentication



Question:

I've followed several different guides on how to configure two factor authentication on my ssh server using the google's libpam-google-authenticator. I've been able to get it to work but when I try and log in from my desktop or any other device over the ssh I have to give it my ssh-key, user password, and then the authenticator token. But in my sshd_config file I have:

AuthenticationMethods publickey,keyboard-interactive    ChallengeResponseAuthentication yes    PasswordAuthentication no     UsePAM yes  

And in my /etc/pam.d/sshd I added

auth required pam_google_authenticator.so  

So I think it should not ask for password as well. How can I fix it?


Solution:1

Comment out the line @include common-auth from your /etc/pam.d/sshd. It will ask only for the second factor (if configured!).


Solution:2

Basically @Jakuje is right.

The common-auth contains a line with pam_unix.so. I would create a new file /etc/pam.d/google_auth and include this in your /etc/pam.d/sshd instead of common-auth. This way you are more modular.

The google-auth would basically look like this:

# here are the per-package modules (the "Primary" block)  auth    [success=1 default=ignore]     pam_google_authenticator.so  # here's the fallback if no module succeeds  auth    requisite                       pam_deny.so  # prime the stack with a positive return value if there isn't one      # this avoids us returning an error just because nothing sets a success code  # since the modules above will each just jump around  auth    required                        pam_permit.so  # and here are more per-package modules (the "Additional" block)  auth    optional                        pam_cap.so  # end of pam-auth-update config  

This way you can include the google-authin whichever service you like to.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »