This is discussed at Google Authenticator PAM on SSH blocks root login without 2FA. This still doesn't let root login with an ssh key sshd logs sshd: fatal: Internal error: PAM auth succeeded when it should have failed Then you need pam_permit to make authentication successful for users without authenticator (for which pam_google_authenticator returns ignore rather than pass). # Require authenticator, if not configured then allowĪuth required comon-auth must be disabled because it includes pam_unix, which I don't want to use. In /etc/pam.d/sshd, # Standard Un*x common-auth Some users have authenticator enabled and some don't, and only SSH logins with public keys are permitted, never passwords. I've also tried various combinations of auth required and auth sufficient before and after common-auth but they all result in users without authenticator being asked for a password and sometimes users WITH authenticator also being asked for a password.ĭoes anyone have a recipe to make this work? Is pam_permit is needed to set up the fallback case? In this case, users without an authenticator setup get rejected with the following debug Aug 05 15:11:18 sshd(pam_google_authenticator): debug: start of google_authenticator for ""Īug 05 15:11:18 sshd(pam_google_authenticator): debug: end of google_authenticator for "" Result: The return value should be ignored by PAM dispatchĪug 05 15:11:18 sshd: error: PAM: Permission denied for from In /etc/pam.d/sshd I've tried (like this Trying to get SSH with public key (no password) + google authenticator working on Ubuntu 14.04.1): common-authĪuth required pam_google_authenticator.so debug nullok Depending on what I use, users are either prompted for a password (they don't have one), or not allowed in at all. google_authenticator file are still logged in. I haven't been able to work out the correct PAM config so that users without a. I've install libpam-google-authenticator and configured /etc/ssh/sshd_config with: PasswordAuthentication noĪuthenticationMethods publickey,keyboard-interactive My problem is that no matter what I put in the PAM config, users without authenticator enabled are never logged straight in, but always asked for a password. I'm running Debian buster, and I've also tried libpam-google-authenticator from bullseye. Everybody uses ssh public keys, and nobody has a password. Not all users need authenticator enabled. This module now supports both QR Codes and Mobile Codes, although we recommend using Mobile Codes, because it has more flexibility (there is a default preset for Mobile Codes which can be altered to your need: different providers and adjustable options per provider).I'm trying to enable 2FA with ssh using libpam-google-authenticator. If you want to protect uid 1, you have to enable the option 'Protect my account with two-factor-authentication' on user/1/edit! Drupal 7 Recommended Modules In other words, consider this version almost unsupported. There won't be any new features, and even major bugs will probably not be fixed anymore. The Drupal 7 module is minimally maintained. The TFA Basic plugins module is the recommended solution for TOTP tokens in Drupal 7. It has less usage than the TFA Basic plugins module, which provides the equivalent plugin for Drupal 7. The Drupal 7 version of this module provides a standalone TFA implementation. It is recommended to remove this module from any running site, and use instead an updated version of the TFA module. That functionality has been merged into that module, and removed from this one, emptying it completely. The Drupal 8 and 9 version of this module used to provide a TOTP/HOTP plugin for the Two-Factor Authenticator module. It also supports the HMAC-based One-time Password algorithm (HOTP). It works with Google's Authenticator, Authy, FreeOTP and any other TOTP-based authenticator applications. This module will allow you to add Time-based One-time Password algorithm (TOTP, also called "Two-Factor Authentication - TFA" or "Multi-Factor Authentication - MFA") support to user logins.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |