How do I require MFA only when it has been set up?Can only ssh into Ubuntu 12.04 alpha machine when logged...

Walter Rudin's mathematical analysis: theorem 2.43. Why proof can't work under the perfect set is uncountable.

Why would five hundred and five same as one?

Why didn't Voldemort know what Grindelwald looked like?

Did I make a mistake by ccing email to boss to others?

How can I, as DM, avoid the Conga Line of Death occurring when implementing some form of flanking rule?

What properties make a magic weapon befit a Rogue more than a DEX-based Fighter?

Not hide and seek

Derivative of an interpolated function

Output visual diagram of picture

Turning a hard to access nut?

Weird lines in Microsoft Word

Friend wants my recommendation but I don't want to give it to him

What is this high flying aircraft over Pennsylvania?

How do you say "Trust your struggle." in French?

How would a solely written language work mechanically

Magnifying glass in hyperbolic space

Why is participating in the European Parliamentary elections used as a threat?

What is the period/term used describe Giuseppe Arcimboldo's style of painting?

How to split IPA spelling into syllables

Extract substring according to regexp with sed or grep

Make a Bowl of Alphabet Soup

PTIJ: Which Dr. Seuss books should one obtain?

Why does the frost depth increase when the surface temperature warms up?

What is the meaning of "You've never met a graph you didn't like?"



How do I require MFA only when it has been set up?


Can only ssh into Ubuntu 12.04 alpha machine when logged into consoleCan't Get libpam-ssh-agent-auth Working In Ubuntu 13.10Wrong IP address present when connecting from localhost to localhostTime Machine on Ubuntu Server via SSH tunnel - backup failsConsoleKit reports active/is-local only on the second+ loginUbuntu only resolves DNS when the router's IP address is present in the DNS servers listHow to get rid of “Authenticated with partial success” message when using two factor authenticationEnable root login via ssh not working?How to recover QR codes from Google Authenticator?OpenSSH: Require Public Key Authentication for a Particular User













0















I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:



/etc/ssh/sshd_config



X11Forwarding yes

PrintMotd no



AcceptEnv LANG LC_*



Subsystem   sftp    /usr/lib/openssh/sftp-server



AllowUsers me him

PermitRootLogin no

MaxStartups 15

UsePAM yes

ChallengeResponseAuthentication yes

PasswordAuthentication no

AuthenticationMethods publickey,keyboard-interactive


/etc/pam.d/sshd



# Standard Un*x authentication.

#@include common-auth



account    required     pam_nologin.so



# Standard Un*x authorization.

@include common-account



session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close



session    required     pam_loginuid.so



session    optional     pam_keyinit.so force revoke



@include common-session



session    optional     pam_motd.so  motd=/run/motd.dynamic

session    optional     pam_motd.so noupdate



session    optional     pam_mail.so standard noenv # [1]



session    required     pam_limits.so



session    required     pam_env.so # [1]



session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale



session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open



# Standard Un*x password updating.

@include common-password



auth required pam_google_authenticator.so nullok


From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:



$ ssh him@my_device

him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).


Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?



By the way, this is Ubuntu 18.04 LTS.






ubuntu sshd pam google-authenticator






share



























    0















    I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:



    /etc/ssh/sshd_config



    X11Forwarding yes
    
PrintMotd no
    

    
AcceptEnv LANG LC_*
    

    
Subsystem   sftp    /usr/lib/openssh/sftp-server
    

    
AllowUsers me him
    
PermitRootLogin no
    
MaxStartups 15
    
UsePAM yes
    
ChallengeResponseAuthentication yes
    
PasswordAuthentication no
    
AuthenticationMethods publickey,keyboard-interactive


    /etc/pam.d/sshd



    # Standard Un*x authentication.
    
#@include common-auth
    

    
account    required     pam_nologin.so
    

    
# Standard Un*x authorization.
    
@include common-account
    

    
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
    

    
session    required     pam_loginuid.so
    

    
session    optional     pam_keyinit.so force revoke
    

    
@include common-session
    

    
session    optional     pam_motd.so  motd=/run/motd.dynamic
    
session    optional     pam_motd.so noupdate
    

    
session    optional     pam_mail.so standard noenv # [1]
    

    
session    required     pam_limits.so
    

    
session    required     pam_env.so # [1]
    

    
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
    

    
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
    

    
# Standard Un*x password updating.
    
@include common-password
    

    
auth required pam_google_authenticator.so nullok


    From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:



    $ ssh him@my_device
    
him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).


    Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?



    By the way, this is Ubuntu 18.04 LTS.






    ubuntu sshd pam google-authenticator






    share

























      0












      0








      0








      I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:



      /etc/ssh/sshd_config



      X11Forwarding yes
      
PrintMotd no
      

      
AcceptEnv LANG LC_*
      

      
Subsystem   sftp    /usr/lib/openssh/sftp-server
      

      
AllowUsers me him
      
PermitRootLogin no
      
MaxStartups 15
      
UsePAM yes
      
ChallengeResponseAuthentication yes
      
PasswordAuthentication no
      
AuthenticationMethods publickey,keyboard-interactive


      /etc/pam.d/sshd



      # Standard Un*x authentication.
      
#@include common-auth
      

      
account    required     pam_nologin.so
      

      
# Standard Un*x authorization.
      
@include common-account
      

      
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
      

      
session    required     pam_loginuid.so
      

      
session    optional     pam_keyinit.so force revoke
      

      
@include common-session
      

      
session    optional     pam_motd.so  motd=/run/motd.dynamic
      
session    optional     pam_motd.so noupdate
      

      
session    optional     pam_mail.so standard noenv # [1]
      

      
session    required     pam_limits.so
      

      
session    required     pam_env.so # [1]
      

      
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
      

      
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
      

      
# Standard Un*x password updating.
      
@include common-password
      

      
auth required pam_google_authenticator.so nullok


      From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:



      $ ssh him@my_device
      
him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).


      Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?



      By the way, this is Ubuntu 18.04 LTS.






      ubuntu sshd pam google-authenticator






      share














      I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:



      /etc/ssh/sshd_config



      X11Forwarding yes
      
PrintMotd no
      

      
AcceptEnv LANG LC_*
      

      
Subsystem   sftp    /usr/lib/openssh/sftp-server
      

      
AllowUsers me him
      
PermitRootLogin no
      
MaxStartups 15
      
UsePAM yes
      
ChallengeResponseAuthentication yes
      
PasswordAuthentication no
      
AuthenticationMethods publickey,keyboard-interactive


      /etc/pam.d/sshd



      # Standard Un*x authentication.
      
#@include common-auth
      

      
account    required     pam_nologin.so
      

      
# Standard Un*x authorization.
      
@include common-account
      

      
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
      

      
session    required     pam_loginuid.so
      

      
session    optional     pam_keyinit.so force revoke
      

      
@include common-session
      

      
session    optional     pam_motd.so  motd=/run/motd.dynamic
      
session    optional     pam_motd.so noupdate
      

      
session    optional     pam_mail.so standard noenv # [1]
      

      
session    required     pam_limits.so
      

      
session    required     pam_env.so # [1]
      

      
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
      

      
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
      

      
# Standard Un*x password updating.
      
@include common-password
      

      
auth required pam_google_authenticator.so nullok


      From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:



      $ ssh him@my_device
      
him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).


      Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?



      By the way, this is Ubuntu 18.04 LTS.






      ubuntu sshd pam google-authenticator




      ubuntu sshd pam google-authenticator





      share












      share










      share



      share










      asked 1 min ago









      Kyle RothKyle Roth

      1164




      1164






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1415547%2fhow-do-i-require-mfa-only-when-it-has-been-set-up%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1415547%2fhow-do-i-require-mfa-only-when-it-has-been-set-up%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

          Image
          Why didn't Boeing produce its own regional jet? What is the most common color to indicate the input-field is disabled? Theorists sure want true answers to this! What is the opposite of "eschatology"? What do you call someone who asks many questions? Is there a hemisphere-neutral way of specifying a season? Is this draw by repetition? Bug? String.split chopping off empty trailing value Is it inappropriate for a student to attend their mentor's dissertation defense? How dangerous is XSS Why do I get negative height? Is it possible to map
          Read more

          VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...

          Image
          risk of flooding in petra in november How to get directions in deep space? How could a planet have erratic days? 15% tax on $7.5k earnings. Is that right? Did the UK lift the requirement for registering SIM cards? Is it allowed to activate the ability of multiple planeswalkers in a single turn? Stack Interview Code methods made from class Node and Smart Pointers Non-trope happy ending? What is the highest possible scrabble score for placing a single tile Open a doc from terminal, but not by its name The IT department bottlenecks progress, how should I handle this?
          Read more

          Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

          Image
          Does the Mueller report show a conspiracy between Russia and the Trump Campaign? Relating to the President and obstruction, were Mueller's conclusions preordained? How much damage would a cupful of neutron star matter do to the Earth? Nose gear failure in single prop aircraft: belly landing or nose landing? Should a wizard buy fine inks every time he want to copy spells into his spellbook? Can you force honesty by using the Speak with Dead and Zone of Truth spells together? A trigonometry question from STEP examination Special flights What is the "studentd" process? systemd and copy (/bin/cp): no such file or directory
          Read more