zypper install google-authenticator-libpam
Created a /etc/pam.d/sshd file with
auth required pam_google_authenticator.so nullok
Linked it to phone app via qr code
the 2fa / mfa part seems to work:
sshd(pam_google_auth)[1313571]: Accepted google_authenticator for <user>
but password seem to fail:
error: PAM: User account has expired for <user> from <ipv4>
fatal: monitor_read: unpermitted request 104
Tried this but failed:
sudo pam-config -a --google_authenticator
pam-config: invalid option -- --google_authenticator
What is the advised way to have mfa on incoming ssh sessions?
NespaLa
2
sshd(pam_google_auth)[54522]: Accepted google_authenticator for leo
sshd-session[54522]: pam_unix(sshd:auth): username [leo] obtained
sshd-session[54522]: pam_warn(sshd:account): function=[pam_sm_acct_mgmt] flags=0 service=[sshd] terminal=[ssh] user=[leo] ruser=[<unknown>] rhost=[xxxx]
sshd-session[54520]: error: PAM: User account has expired for leo from xxxx
sshd-session[54520]: fatal: monitor_read: unpermitted request 104
at ssh client side:
Verification code:
Password:
Authentication failed.
So looks like the problem is in pam config, not inside the google authenticator.
NespaLa
3
Fixed
The pam_unix had to be all 4 session/auth/account/password
With auth it only asked the password to the enduser, but always gave expired.
Read alot about pam, every entry in /usr/lib64/security/ has a nice readable manpage for it.
/etc/pam.d # cat sshd
auth required pam_env.so
# auth optional pam_echo.so "before google"
auth required pam_google_authenticator.so
# auth optional pam_echo.so "past google"
session required pam_unix.so debug audit
auth required pam_unix.so debug audit
account required pam_unix.so debug audit
password required pam_unix.so debug audit
system
Closed
4
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.