Tjyylli

Walter Rudin's mathematical analysis: theorem 2.43. Why proof can't work under the perfect set is uncountable.

Why would five hundred and five same as one?

Why didn't Voldemort know what Grindelwald looked like?

Did I make a mistake by ccing email to boss to others?

How can I, as DM, avoid the Conga Line of Death occurring when implementing some form of flanking rule?

What properties make a magic weapon befit a Rogue more than a DEX-based Fighter?

Not hide and seek

Derivative of an interpolated function

Output visual diagram of picture

Turning a hard to access nut?

Weird lines in Microsoft Word

Friend wants my recommendation but I don't want to give it to him

What is this high flying aircraft over Pennsylvania?

How do you say "Trust your struggle." in French?

How would a solely written language work mechanically

Magnifying glass in hyperbolic space

Why is participating in the European Parliamentary elections used as a threat?

What is the period/term used describe Giuseppe Arcimboldo's style of painting?

How to split IPA spelling into syllables

Extract substring according to regexp with sed or grep

Make a Bowl of Alphabet Soup

PTIJ: Which Dr. Seuss books should one obtain?

Why does the frost depth increase when the surface temperature warms up?

What is the meaning of "You've never met a graph you didn't like?"

How do I require MFA only when it has been set up?

Can only ssh into Ubuntu 12.04 alpha machine when logged into consoleCan't Get libpam-ssh-agent-auth Working In Ubuntu 13.10Wrong IP address present when connecting from localhost to localhostTime Machine on Ubuntu Server via SSH tunnel - backup failsConsoleKit reports active/is-local only on the second+ loginUbuntu only resolves DNS when the router's IP address is present in the DNS servers listHow to get rid of “Authenticated with partial success” message when using two factor authenticationEnable root login via ssh not working?How to recover QR codes from Google Authenticator?OpenSSH: Require Public Key Authentication for a Particular User

0

I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:

/etc/ssh/sshd_config

X11Forwarding yes

PrintMotd no



AcceptEnv LANG LC_*



Subsystem   sftp    /usr/lib/openssh/sftp-server



AllowUsers me him

PermitRootLogin no

MaxStartups 15

UsePAM yes

ChallengeResponseAuthentication yes

PasswordAuthentication no

AuthenticationMethods publickey,keyboard-interactive

/etc/pam.d/sshd

# Standard Un*x authentication.

#@include common-auth



account    required     pam_nologin.so



# Standard Un*x authorization.

@include common-account



session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close



session    required     pam_loginuid.so



session    optional     pam_keyinit.so force revoke



@include common-session



session    optional     pam_motd.so  motd=/run/motd.dynamic

session    optional     pam_motd.so noupdate



session    optional     pam_mail.so standard noenv # [1]



session    required     pam_limits.so



session    required     pam_env.so # [1]



session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale



session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open



# Standard Un*x password updating.

@include common-password



auth required pam_google_authenticator.so nullok

From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:

$ ssh him@my_device

him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).

Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?

By the way, this is Ubuntu 18.04 LTS.

ubuntu sshd pam google-authenticator

share

asked 1 min ago

Kyle RothKyle Roth

1164

add a comment | 

0

I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:

/etc/ssh/sshd_config

X11Forwarding yes

PrintMotd no



AcceptEnv LANG LC_*



Subsystem   sftp    /usr/lib/openssh/sftp-server



AllowUsers me him

PermitRootLogin no

MaxStartups 15

UsePAM yes

ChallengeResponseAuthentication yes

PasswordAuthentication no

AuthenticationMethods publickey,keyboard-interactive

/etc/pam.d/sshd

# Standard Un*x authentication.

#@include common-auth



account    required     pam_nologin.so



# Standard Un*x authorization.

@include common-account



session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close



session    required     pam_loginuid.so



session    optional     pam_keyinit.so force revoke



@include common-session



session    optional     pam_motd.so  motd=/run/motd.dynamic

session    optional     pam_motd.so noupdate



session    optional     pam_mail.so standard noenv # [1]



session    required     pam_limits.so



session    required     pam_env.so # [1]



session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale



session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open



# Standard Un*x password updating.

@include common-password



auth required pam_google_authenticator.so nullok

From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:

$ ssh him@my_device

him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).

Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?

By the way, this is Ubuntu 18.04 LTS.

ubuntu sshd pam google-authenticator

share

asked 1 min ago

Kyle RothKyle Roth

1164

add a comment | 

I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:

/etc/ssh/sshd_config

X11Forwarding yes

PrintMotd no



AcceptEnv LANG LC_*



Subsystem   sftp    /usr/lib/openssh/sftp-server



AllowUsers me him

PermitRootLogin no

MaxStartups 15

UsePAM yes

ChallengeResponseAuthentication yes

PasswordAuthentication no

AuthenticationMethods publickey,keyboard-interactive

/etc/pam.d/sshd

# Standard Un*x authentication.

#@include common-auth



account    required     pam_nologin.so



# Standard Un*x authorization.

@include common-account



session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close



session    required     pam_loginuid.so



session    optional     pam_keyinit.so force revoke



@include common-session



session    optional     pam_motd.so  motd=/run/motd.dynamic

session    optional     pam_motd.so noupdate



session    optional     pam_mail.so standard noenv # [1]



session    required     pam_limits.so



session    required     pam_env.so # [1]



session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale



session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open



# Standard Un*x password updating.

@include common-password



auth required pam_google_authenticator.so nullok

From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:

$ ssh him@my_device

him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).

Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?

By the way, this is Ubuntu 18.04 LTS.

ubuntu sshd pam google-authenticator

share

asked 1 min ago

Kyle RothKyle Roth

1164

X11Forwarding yes

PrintMotd no



AcceptEnv LANG LC_*



Subsystem   sftp    /usr/lib/openssh/sftp-server



AllowUsers me him

PermitRootLogin no

MaxStartups 15

UsePAM yes

ChallengeResponseAuthentication yes

PasswordAuthentication no

AuthenticationMethods publickey,keyboard-interactive

# Standard Un*x authentication.

#@include common-auth



account    required     pam_nologin.so



# Standard Un*x authorization.

@include common-account



session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close



session    required     pam_loginuid.so



session    optional     pam_keyinit.so force revoke



@include common-session



session    optional     pam_motd.so  motd=/run/motd.dynamic

session    optional     pam_motd.so noupdate



session    optional     pam_mail.so standard noenv # [1]



session    required     pam_limits.so



session    required     pam_env.so # [1]



session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale



session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open



# Standard Un*x password updating.

@include common-password



auth required pam_google_authenticator.so nullok

$ ssh him@my_device

him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).

share

asked 1 min ago

Kyle RothKyle Roth

1164

share

asked 1 min ago

Kyle RothKyle Roth

1164

asked 1 min ago

Kyle RothKyle Roth

1164

asked 1 min ago

Kyle RothKyle Roth

1164