Home / server / Questions / 790312
In Process
Itai Ganot
Asked: 2016-07-18 06:35:12 +0800 CST

How to set-up google-authenticator and set specific match rules to allow different login rules?

  • 772

I'm trying to set Google-Authenticator (google 2 factor authentication).

The relevant files are:

[root@srv01 ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth      required    pam_google_authenticator.so
auth      required    pam_sepermit.so
auth      include     password-auth
account   required    pam_nologin.so
account   include     password-auth
password  include     password-auth
# pam_selinux.so close should be the first session rule
session   required    pam_selinux.so close
session   required    pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session   required    pam_selinux.so open env_params
session   required    pam_namespace.so
session   optional    pam_keyinit.so force revoke
session   include     password-auth


[root@srv01 ~]# egrep -v '^#' /etc/ssh/sshd_config | sed '/^$/d'
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
UsePAM yes
Match Address 10.13.0.*
  PermitRootLogin yes
  PasswordAuthentication yes

Following the guides over the internet, in order to enable Google-2fa you need to edit /etc/pam.d/sshd and add this line:

auth      required    pam_google_authenticator.so

And then you need to edit /etc/ssh/sshd_config and change these lines as follows:

PasswordAuthentication no
ChallengeResponseAuthentication yes

In my case, Google 2FA works and allows the users which have configured google-authenticator to login by providing both OTP and password but when I try to connect to root user on the machine from a machine in the same network my password is rejected (even though it's the correct password). When I try to connect to root@machine the issue looks like so:

Using username "root".
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:

And in /var/log/secure:

 sshd(pam_google_authenticator)[10990]: Failed to read "/root/.google_authenticator"

I never ran google_authenticator on root's user so I don't know why it's looking for it.

What I'm trying to achieve is as follows:

  1. I want that "PermitRootLogin" will be set to "no" globally (when connecting to the server from the outside world), but that it will be set to "yes" if the remote machine IP Matches the rule which specifies the local network (as can be seen in the configuration file).

  2. I want the users which configured google-2fa to still be able to log in by providing both OTP and password.

It could be that the line in /etc/pam.d/sshd is misplaced but I'm not sure where I should place it.

Anyone knows how to make it work with these rules?

login ssh pam google-authenticator

1 Answers

  1. You missed one small detail from the manual:

    nullok

    Allow users to log in without OTP, if they haven't set up OTP yet.

    Your pam.d/sshd file should include this:

    auth      required    pam_google_authenticator.so    nullok

    If you don't use nullok, all users without the google auth setup will be locked out. Using nullok, they can still login without 2FA until they configure it.

    • 1