authenticationgroupspamsshusers
I recently enabled two-factor-authentication using google-authenticator on my SSH server. However I am now facing a problem:
I have a different group of users on my server which I am using for SFTP, but that group is no longer able to login since 2FA isn't set up for the users in the group. Is it possible to disable the google-authenticator module for that group? Enabling it for the users in the group is not an option because multiple users will be using this account.
PS: I use openssh-server
Note: Once you have activated the 2-factor authentication for a user and haven't set the same for root, you will never be able to Login as root directly. In such a case a way around is to use any other sudo user for whom we have it setup and then use sudo su - to switch to the root user.
Use below steps to set it up.
Install below given package to install Google authenticator which we will use as an add-on with PAM authentication:
sudo apt-get install libpam-google-authenticator
Now edit /etc/pam.d/sshd this file and add Google Authenticator as given below:
*sudo vim /etc/pam.d/sshd
enter below at the top this file-
auth required pam_google_authenticator.so
Here we have to make changes in /etc/ssh/sshd_config to ensure ssh uses the Google Authenticator, this way we ensure ssh is using the two factor authentication.
vim /etc/ssh/sshd_config
In this file we have to find ChallengeResponseAuthentication and uncomment and/or modify it to look like below (in short set it to yes :P):
ChallengeResponseAuthentication yes
Extra or GUI 2-factor authentication else skip this and go to step 4: To enable it for GUI login, edit /etc/pam.d/common-auth:
sudo vim /etc/pam.d/common-auth
and now add this auth required pam_google_authenticator.so above the line auth [success=1 default=ignore] pam_unix.so nullok_secure then save the file.
Now change to an account on which you want to set it up.
(Note: I would suggest to create at least two super user accounts on the system apart than the root account and configure it at least, for one of them first but not the root account.)
sudo su - testuser1
Now we will use below command to setup the two-factor authentication for this testuser1:
google-authenticator
Running this command will ask you below question. (recommended answer is Yes)
Do you want authentication tokens to be time-based (y/n) y
After that it will show you the QR code and Emergency Scratch Codes and few other details. Out put should look like below given image:
Now you need to use your Android / Apple / Blackberry phone to download & install the Google Authenticator Application from the respective market places for example Google play store. which will generate code for you to login.
Below are the screenshot of the application Icon and application taken from application Android phone.
Start the application on your phone and scan the QR Code or else use the secret key and the verification code given below the QR code on the system, which you can also see in the first screenshot above.
Once all of this is done it is very important to note down and save your emergency scratch codes on a safe place, as those are the codes which can help you in case you get locked out somehow.
At this point in time you should take a look at the bottom of the screen where it is asking you a below question. (recommended answer is Yes):
Do you want me to update your "/home/testuser1/.google_authenticator" file (y/n) y
Again it will ask you one more question and the recommended answer for below question is also Yes:
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
Next question would be as given below and the recommended answer for it is No:
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n
And the last question would be as given below and recommended answer for it is Yes:
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Now switch exit from this account to go back to root account:
exit
Now restart the ssh service
service ssh restart
Now just take a ssh session for the user you have set it up for and it will first ask you for a verification code which you can enter from your mobile and then it will ask for a user password.
That is all what is required to setup the two factor authentication. Please feel free to improve the answer where required and please excuse me for the not so good language.
Using the below solution, PAM Module(google authenticator) can be disable for specific users-
1) Create a user group on the Linux instance. MFA/PAM will be disabled for users present in this new group-
sudo groupadd <groupname>
2) Create User or add existing user to newly created group-
sudo useradd <username>
sudo usermod -a -G <groupname> <username>
3) Edit /etc/pam.d/sshd file and add the below statement to skip PAM module for the newly created group-
auth [success=done default=ignore] pam_succeed_if.so user ingroup <groupname>
Optional-
If full access is required for this new group then add below line to visudo file-
%<groupname>ALL=(ALL) NOPASSWD: ALL
When a user will be created and added to the new group, MFA will be skipped for those users.
Referenced from - TechManyu Blog
Best Answer
You can use
pam_succeed_ifmodule (see manual page) before thepam_google_authenticatorto skip this part for your group: