How do I require MFA only when it has been set up?Can only ssh into Ubuntu 12.04 alpha machine when logged...

Walter Rudin's mathematical analysis: theorem 2.43. Why proof can't work under the perfect set is uncountable.

Why would five hundred and five same as one?

Why didn't Voldemort know what Grindelwald looked like?

Did I make a mistake by ccing email to boss to others?

How can I, as DM, avoid the Conga Line of Death occurring when implementing some form of flanking rule?

What properties make a magic weapon befit a Rogue more than a DEX-based Fighter?

Not hide and seek

Derivative of an interpolated function

Output visual diagram of picture

Turning a hard to access nut?

Weird lines in Microsoft Word

Friend wants my recommendation but I don't want to give it to him

What is this high flying aircraft over Pennsylvania?

How do you say "Trust your struggle." in French?

How would a solely written language work mechanically

Magnifying glass in hyperbolic space

Why is participating in the European Parliamentary elections used as a threat?

What is the period/term used describe Giuseppe Arcimboldo's style of painting?

How to split IPA spelling into syllables

Extract substring according to regexp with sed or grep

Make a Bowl of Alphabet Soup

PTIJ: Which Dr. Seuss books should one obtain?

Why does the frost depth increase when the surface temperature warms up?

What is the meaning of "You've never met a graph you didn't like?"



How do I require MFA only when it has been set up?


Can only ssh into Ubuntu 12.04 alpha machine when logged into consoleCan't Get libpam-ssh-agent-auth Working In Ubuntu 13.10Wrong IP address present when connecting from localhost to localhostTime Machine on Ubuntu Server via SSH tunnel - backup failsConsoleKit reports active/is-local only on the second+ loginUbuntu only resolves DNS when the router's IP address is present in the DNS servers listHow to get rid of “Authenticated with partial success” message when using two factor authenticationEnable root login via ssh not working?How to recover QR codes from Google Authenticator?OpenSSH: Require Public Key Authentication for a Particular User













0















I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:



/etc/ssh/sshd_config



X11Forwarding yes
PrintMotd no

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

AllowUsers me him
PermitRootLogin no
MaxStartups 15
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive


/etc/pam.d/sshd



# Standard Un*x authentication.
#@include common-auth

account required pam_nologin.so

# Standard Un*x authorization.
@include common-account

session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

session required pam_loginuid.so

session optional pam_keyinit.so force revoke

@include common-session

session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

session optional pam_mail.so standard noenv # [1]

session required pam_limits.so

session required pam_env.so # [1]

session required pam_env.so user_readenv=1 envfile=/etc/default/locale

session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

# Standard Un*x password updating.
@include common-password

auth required pam_google_authenticator.so nullok


From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:



$ ssh him@my_device
him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).


Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?



By the way, this is Ubuntu 18.04 LTS.









share



























    0















    I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:



    /etc/ssh/sshd_config



    X11Forwarding yes
    PrintMotd no

    AcceptEnv LANG LC_*

    Subsystem sftp /usr/lib/openssh/sftp-server

    AllowUsers me him
    PermitRootLogin no
    MaxStartups 15
    UsePAM yes
    ChallengeResponseAuthentication yes
    PasswordAuthentication no
    AuthenticationMethods publickey,keyboard-interactive


    /etc/pam.d/sshd



    # Standard Un*x authentication.
    #@include common-auth

    account required pam_nologin.so

    # Standard Un*x authorization.
    @include common-account

    session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

    session required pam_loginuid.so

    session optional pam_keyinit.so force revoke

    @include common-session

    session optional pam_motd.so motd=/run/motd.dynamic
    session optional pam_motd.so noupdate

    session optional pam_mail.so standard noenv # [1]

    session required pam_limits.so

    session required pam_env.so # [1]

    session required pam_env.so user_readenv=1 envfile=/etc/default/locale

    session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

    # Standard Un*x password updating.
    @include common-password

    auth required pam_google_authenticator.so nullok


    From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:



    $ ssh him@my_device
    him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).


    Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?



    By the way, this is Ubuntu 18.04 LTS.









    share

























      0












      0








      0








      I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:



      /etc/ssh/sshd_config



      X11Forwarding yes
      PrintMotd no

      AcceptEnv LANG LC_*

      Subsystem sftp /usr/lib/openssh/sftp-server

      AllowUsers me him
      PermitRootLogin no
      MaxStartups 15
      UsePAM yes
      ChallengeResponseAuthentication yes
      PasswordAuthentication no
      AuthenticationMethods publickey,keyboard-interactive


      /etc/pam.d/sshd



      # Standard Un*x authentication.
      #@include common-auth

      account required pam_nologin.so

      # Standard Un*x authorization.
      @include common-account

      session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

      session required pam_loginuid.so

      session optional pam_keyinit.so force revoke

      @include common-session

      session optional pam_motd.so motd=/run/motd.dynamic
      session optional pam_motd.so noupdate

      session optional pam_mail.so standard noenv # [1]

      session required pam_limits.so

      session required pam_env.so # [1]

      session required pam_env.so user_readenv=1 envfile=/etc/default/locale

      session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

      # Standard Un*x password updating.
      @include common-password

      auth required pam_google_authenticator.so nullok


      From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:



      $ ssh him@my_device
      him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).


      Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?



      By the way, this is Ubuntu 18.04 LTS.









      share














      I'd like to require every user to use MFA with Google Authenticator. Each time I add a new user, I want to allow them to log in using their SSH key only once, and upon login require them to create a secret key by running GAuth setup in their .bash_login. This will create ~/.google_authenticator in their home directory. I followed these instructions (Ctrl+F "Another method to force the creation") to set up my sshd_config and pam.d. Here they are, with comments removed:



      /etc/ssh/sshd_config



      X11Forwarding yes
      PrintMotd no

      AcceptEnv LANG LC_*

      Subsystem sftp /usr/lib/openssh/sftp-server

      AllowUsers me him
      PermitRootLogin no
      MaxStartups 15
      UsePAM yes
      ChallengeResponseAuthentication yes
      PasswordAuthentication no
      AuthenticationMethods publickey,keyboard-interactive


      /etc/pam.d/sshd



      # Standard Un*x authentication.
      #@include common-auth

      account required pam_nologin.so

      # Standard Un*x authorization.
      @include common-account

      session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

      session required pam_loginuid.so

      session optional pam_keyinit.so force revoke

      @include common-session

      session optional pam_motd.so motd=/run/motd.dynamic
      session optional pam_motd.so noupdate

      session optional pam_mail.so standard noenv # [1]

      session required pam_limits.so

      session required pam_env.so # [1]

      session required pam_env.so user_readenv=1 envfile=/etc/default/locale

      session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

      # Standard Un*x password updating.
      @include common-password

      auth required pam_google_authenticator.so nullok


      From what I understand, the "nullok" on the last line means that if no secret key has been set up, nothing is required to satisfy that auth requirement. But when I try to log in with a user who has no secret key configured, I get something like the following:



      $ ssh him@my_device
      him@xxx.xxx.xxx.xxx: Permission denied (keyboard-interactive).


      Once the .google_authenticator file is created, login should proceed fine. How do I allow this kind of login as long as .google_authenticator is not present?



      By the way, this is Ubuntu 18.04 LTS.







      ubuntu sshd pam google-authenticator





      share












      share










      share



      share










      asked 1 min ago









      Kyle RothKyle Roth

      1164




      1164






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1415547%2fhow-do-i-require-mfa-only-when-it-has-been-set-up%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1415547%2fhow-do-i-require-mfa-only-when-it-has-been-set-up%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

          Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

          VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...