OpenSSH use (public key or password) + google authenticator
Solution 1:
I found out that whenever I set
UsePAM
to yes, the password authentication fails. Not sure why?
UsePAM
option makes the authentication method password
use the same PAM module as you want to use for second factor. This is why it rejects your password.
This is answer to your question, explaining "why", but not complete solution "how to make it better". Setting up this combination is tricky. I wanted to learn how to do that simply and correctly, but did have the time so far. But I am open to your ideas :)
Solution 2:
I spent all morning trying to get this one to work. AFAIK now, the publickey authentication method occurs OUTSIDE the PAM stack.
From what I can observe, having ChallengeResponseAuthentication yes
and UsePAM yes
means that the value of PasswordAuthentication
is effectively ignored and can be considered no
. This means the password
value of AuthenticationMethods
will always fail.
Which would not be an issue if we could observe the success or failure state of a publickey login inside the PAM stack. But we can't - it seems to be handled entirely inside SSH.
This means that we can do (as valid AuthenticationMethods
sets):
-
publickey
and nothing else - The entire PAM stack
-
publickey
and the entire PAM stack
But not as we are wanting, publickey
and part of the PAM stack based on whether publickey
was a success.
Would love to be proven wrong on this!
Solution 3:
The answer is simply that it is not possible to request two factors with password authentication, but with an explanation for you that will help get things working. You're looking at password authentication as the way to use a password. This is incorrect.
'password authentication' is a simple request for a single password. There's no specific prompt sent by the server to the client. It's the client that chooses how to label the prompt- such as when it asks "Enter password for user@host:".
'keyboard-interactive' is a more complex request for arbitrary number of pieces of information. For each piece of information the server sends the label for the prompt. Moreover it allows the server to provide a description of the form of the response it expects. The server can also specify which inputs are secret (passwords need to be obfuscated on screen) and which are not (OTPs)
In majority of cases the keyboard-interactive authentication is used to request the single "secret" password prompt, so there's hardly any difference compared to the password authentication for the end user.
Since keyboard-interactive is an authentication mechanism that allows the server to send multiple challenge/response pairs, the Google Authenticator PAM plug-in needs it to send two questions- the password and the OTP.
So password authentication will NEVER work with Google Authenticator, since it doesn't have the ability to prompt for more than one thing. Google Authenticator will work with private-keys and the OTP into the password prompt (though not ideally). Google Authenticator will work with keyboard-interactive with the password and the OTP. Google Authenticator will NOT work with a password prompt as it cannot ask for the right information.
In your client software, prioritize keyboard-interactive over password and you'll be set with getting the two prompts with your current configuration. To avoid having it at all, we can disable password authentication entirely.
My question actually breaks down to: How do I use "UsePAM yes" together with "AuthenticationMethods password"
To directly answer this, you can't. Remove password as a supported authentication method and rely on keyboard-interactive for your password authentications. Set "PasswordAuthentication no" in /etc/ssh/sshd_config
So: /etc/ssh/sshd_config
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
PubkeyAuthentication yes
# I don't use AuthenticationMethods at all and rely on my yes/no's
/etc/pam.d/sshd (at the bottom)
auth required pam_google_authenticator.so nullok