Two-Factor SSH login to CentOS 7

Support for security such as Firewalls and securing linux
Post Reply
bertalanimre
Posts: 140
Joined: 2015/06/02 13:04:03

Two-Factor SSH login to CentOS 7

Post by bertalanimre » 2017/05/22 09:19:42

Hey Forum,

I've a CentOS 7 server where I want to enable a two-factor SSH login while using ssh-keys. I've done the following so far according any of the tutorials on the web if you search for "centos 7 google-authenticator ssh"

- Installed google_authenticator
- generated qr code with google_authenticator command
- added auth required pam_google_authenticator.so to /etc/pam.d/sshd
- changed ChallengeResponseAuthentication from no to yes in /etc/ssh/sshd_config
- restarted sshd with systemctl restart sshd

Results: I can still login without any 2nd step in the verification. So it doesn't ask for my authentication code. Do you know what did I miss according to what I've said?

Bert

bertalanimre
Posts: 140
Joined: 2015/06/02 13:04:03

Re: Two-Factor SSH login to CentOS 7

Post by bertalanimre » 2017/05/22 09:51:43

In the meanwhile, I've added the following line to the end of /etc/ssh/sshd_config:

Code: Select all

AuthenticationMethods publickey,keyboard-interactive:pam
Now it asks for verification code but also asks for the pam password which should be provided by my public key.

bertalanimre
Posts: 140
Joined: 2015/06/02 13:04:03

Re: Two-Factor SSH login to CentOS 7

Post by bertalanimre » 2017/05/22 10:26:45

OK, to summ it all up, here my current SSH config:

Code: Select all

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UsePrivilegeSeparation sandboxAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server
Now it asks for the users password and a verification code. I don't want users password to be requested. That should be provided by the ssh key. What is mistaken here?

bertalanimre
Posts: 140
Joined: 2015/06/02 13:04:03

Re: Two-Factor SSH login to CentOS 7

Post by bertalanimre » 2017/05/22 10:54:36

OK, I've solved it on my own. :) Here are the results.

!!!!!MAKE SURE YOU CREATE A GOOGLE-AUTHENTICATION FOR THE USER YOU WISH TO LOG IN TO THE SERVER BEFORE MAKING THESE SETTINGS!!!!!


In the SSH config, it was all good. The required rows were then the followings:

Code: Select all

PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Whit this we've stated for SSH that he needs to ask for two type of authentication. The 1st one will be the publickey. The 2nd is any kind of keyboard input. Now the input needs to be declared in the pam.d/sshd

So to the 1st option, add the following:

Code: Select all

auth required pam_google_authenticator.so
This is not enought because with the current settings the system asks for the pam password as well as it is set to default in this configuration file. Now, to disable the pem authentication we have to comment the line which looks like this:

Code: Select all

auth       substack     password-auth
After we restart the sshd on the server with the changes, nobody will be able to login unless they ave a verification code.

Anyone sees some error in my solution? Maybe this setting ignores the public key at all?

Post Reply