TL;DR: I ran google-authenticator when logged in as the root user. I should've run it as my normal user account instead.
I have just installed Debian 12 on a spare Apple Mac Mini. I want to control it via SSH from my iMac. I want to use SSH keys with a passphrase and I also wish to use Google Authenticator for multi-factor authentication.
On the iMac, I created ssh keys using ssh-keygen -t rsa and specified a passphrase. I then used ssh-copy-id [email protected] to copy the public key onto the remote Debian server.
I then wanted to disable password-only login, so I added the following two lines at the end of /etc/ssh/sshd_config:
Match User david PasswordAuthentication no I then ran systemctl restart sshd and logged out of the remote machine. I then tried to log back in, and I was asked for the passphrase, but not the password. So far, so good.
I then followed these two guides for setting up Google Authenticator: Guide 1 Guide 2
(I logged in as the root user so I didn't need to add sudo at the start of everything...)
Specifically:
apt install -y libpam-google-authenticator google-authenticator (answered yes to all four questions asked by Google Authenticator setup) nano /etc/ssh/sshd_config ->Set UsePAM yes ->Added a line at the end of the file "ChallengeResponseAuthentication yes" ->Added another line at the end of the file "AuthenticationMethods publickey,keyboard-interactive" ->Saved and closed /etc/ssh/sshd_config nano /etc/pam.d/sshd ->Commented out the line "@include common-auth" ->Added a line at the end of the file "auth required pam_google_authenticator.so" ->Saved and closed /etc/pam.d/sshd systemctl restart ssh I then tried to log in with a different terminal window on my iMac, but I get the following error:
Received disconnect from 192.168.4.7 port 22:2: no authentication methods enabled
Disconnected from 192.168.4.7 port 22
I was able to revert my changes to the two files and re-connect just using the passphrase. However, I'm unable to get it to ask me for my passphrase and the Google Authenticator code.
What am I doing wrong please?
I found a similar issue, but the only answer on it doesn't provide enough detail.
Then make sure that PAM authentication is required by your configuration (PAM password authentication part is skipped if publickey authentication method succeeds). You can do that by setting appropriate AuthenticationMethods in sshd_config.
Unfortunately, they don't explain how to set "appropriate AuthenticationMethods in sshd_config", so that isn't of much help to me...
Thank you in advance.
Complete contents of /etc/ssh/sshd_config:
Include /etc/ssh/sshd_config.d/*.conf KbdInteractiveAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server ChallengeResponseAuthentication yes Match User david PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive (plus a bunch of other lines that I have omitted because they are commented-out).
Complete contents of /etc/pam.d/sshd:
account required pam_nologin.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard noenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password auth required pam_google_authenticator.so (plus a bunch of other lines that I have omitted because they are commented-out)
Update after being advised to check the logs by Zoredache in the comments...
Complete output of ssh -vvv [email protected] run on the iMac when trying to connect to the Mac Mini:
$ ssh -vvv [email protected] OpenSSH_9.6p1, LibreSSL 3.3.6 [omitting a very long log file with no useful information as this website has a character limit and I would exceed it if I kept this here] debug3: kex_input_ext_info: extension [email protected] debug1: kex_ext_info_check_ver: [email protected]=<0> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 1 Received disconnect from 192.168.4.7 port 22:2: no authentication methods enabled Disconnected from 192.168.4.7 port 22 ...nothing terribly helpful there. Checking the logs on the Mac Mini:
$ journalctl --since "1 hour ago" Jul 09 06:50:05 docker1 sshd[10682]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive" Jul 09 06:50:05 docker1 sshd[10682]: Authentication methods list "publickey,keyboard-interactive" contains disabled method, skipping Jul 09 06:50:05 docker1 sshd[10682]: error: No AuthenticationMethods left after eliminating disabled methods Jul 09 06:50:05 docker1 sshd[10682]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive" [preauth] Jul 09 06:50:05 docker1 sshd[10682]: Authentication methods list "publickey,keyboard-interactive" contains disabled method, skipping [preauth] Jul 09 06:50:05 docker1 sshd[10682]: error: No AuthenticationMethods left after eliminating disabled methods [preauth] Jul 09 06:50:05 docker1 sshd[10682]: Disconnecting authenticating user david 192.168.4.6 port 50344: no authentication methods enabled [preauth] Jul 09 06:53:00 docker1 sshd[10702]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive" Jul 09 06:53:00 docker1 sshd[10702]: Authentication methods list "publickey,keyboard-interactive" contains disabled method, skipping Jul 09 06:53:00 docker1 sshd[10702]: error: No AuthenticationMethods left after eliminating disabled methods Jul 09 06:53:00 docker1 sshd[10702]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive" [preauth] Jul 09 06:53:00 docker1 sshd[10702]: Authentication methods list "publickey,keyboard-interactive" contains disabled method, skipping [preauth] Jul 09 06:53:00 docker1 sshd[10702]: error: No AuthenticationMethods left after eliminating disabled methods [preauth] Jul 09 06:53:00 docker1 sshd[10702]: Disconnecting authenticating user david 192.168.4.6 port 50587: no authentication methods enabled [preauth] Ah-hah!
Did some Googling, found this, and specifically noted the quote regarding "KbdInteractiveAuthentication".
I then went into /etc/ssh/sshd_config and changed KbdInteractiveAuthentication from no to yes. I also commented-out the line ChallengeResponseAuthentication yes as this seems to be deprecated.
systemctl restart sshd I then attempted to log in again. I got closer; I was asked for the passphrase and for the Google Authenticator code. However, the Google Authenticator code was repeatedly rejected, and I was unable to log in.
$ ssh -vvv [email protected] OpenSSH_9.6p1, LibreSSL 3.3.6 debug1: Reading configuration data /Users/david/.ssh/config debug1: /Users/david/.ssh/config line 1: Applying options for 192.168.4.7 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files debug1: /etc/ssh/ssh_config line 54: Applying options for * debug2: resolve_canonicalize: hostname 192.168.4.7 is address debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/david/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/david/.ssh/known_hosts2' debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug3: channel_clear_timeouts: clearing debug3: ssh_connect_direct: entering debug1: Connecting to 192.168.4.7 [192.168.4.7] port 22. debug3: set_sock_tos: set socket 3 IP_TOS 0x48 debug1: Connection established. debug1: identity file /Users/david/.ssh/docker1_id_rsa type 0 debug1: identity file /Users/david/.ssh/docker1_id_rsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.6 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u3 debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u3 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.4.7:22 as 'david' debug3: record_hostkey: found key type ED25519 in file /Users/david/.ssh/known_hosts:31 debug3: record_hostkey: found key type RSA in file /Users/david/.ssh/known_hosts:32 debug3: record_hostkey: found key type ECDSA in file /Users/david/.ssh/known_hosts:33 debug3: load_hostkeys_file: loaded 3 keys from 192.168.4.7 debug1: load_hostkeys: fopen /Users/david/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug3: order_hostkeyalgs: have matching best-preference key type [email protected], using HostkeyAlgorithms verbatim debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,[email protected] debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,[email protected],zlib debug2: compression stoc: none,[email protected],zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,[email protected] debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,[email protected] debug2: compression stoc: none,[email protected] debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug3: kex_choose_conf: will use strict KEX ordering debug1: kex: algorithm: [email protected] debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:YqWOIqPh7NqasxGY07Yef+WDD52F/48qBkbiWlQxIE8 debug3: record_hostkey: found key type ED25519 in file /Users/david/.ssh/known_hosts:31 debug3: record_hostkey: found key type RSA in file /Users/david/.ssh/known_hosts:32 debug3: record_hostkey: found key type ECDSA in file /Users/david/.ssh/known_hosts:33 debug3: load_hostkeys_file: loaded 3 keys from 192.168.4.7 debug1: load_hostkeys: fopen /Users/david/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host '192.168.4.7' is known and matches the ED25519 host key. debug1: Found key in /Users/david/.ssh/known_hosts:31 debug3: send packet: type 21 debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 debug2: ssh_set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: ssh_packet_read_poll2: resetting read seqnr 3 debug1: SSH2_MSG_NEWKEYS received debug2: ssh_set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug3: kex_input_ext_info: extension server-sig-algs debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512> debug3: kex_input_ext_info: extension [email protected] debug1: kex_ext_info_check_ver: [email protected]=<0> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug3: ssh_get_authentication_socket_path: path '/private/tmp/com.apple.launchd.7ZPATgtfUu/Listeners' debug1: get_agent_identities: bound agent to hostkey debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities debug1: Will attempt key: /Users/david/.ssh/docker1_id_rsa RSA SHA256:Pk6ndbhbaLetYzTmHflWGqvG8gaO7CIyUp/XcpRT4S0 explicit debug2: pubkey_prepare: done debug1: Offering public key: /Users/david/.ssh/docker1_id_rsa RSA SHA256:Pk6ndbhbaLetYzTmHflWGqvG8gaO7CIyUp/XcpRT4S0 explicit debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: /Users/david/.ssh/docker1_id_rsa RSA SHA256:Pk6ndbhbaLetYzTmHflWGqvG8gaO7CIyUp/XcpRT4S0 explicit debug3: sign_and_send_pubkey: using [email protected] with RSA SHA256:Pk6ndbhbaLetYzTmHflWGqvG8gaO7CIyUp/XcpRT4S0 debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:Pk6ndbhbaLetYzTmHflWGqvG8gaO7CIyUp/XcpRT4S0 Enter passphrase for key '/Users/david/.ssh/docker1_id_rsa': debug2: bad passphrase given, try again... Enter passphrase for key '/Users/david/.ssh/docker1_id_rsa': debug3: send packet: type 50 debug3: receive packet: type 51 Authenticated using "publickey" with partial success. debug1: Authentications that can continue: keyboard-interactive debug3: start over, passed a different list keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req: entering debug2: input_userauth_info_req: num_prompts 1 ([email protected]) Verification code: debug3: send packet: type 61 debug3: receive packet: type 51 debug1: Authentications that can continue: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req: entering debug2: input_userauth_info_req: num_prompts 1 ([email protected]) Verification code: debug3: send packet: type 61 debug3: receive packet: type 51 debug1: Authentications that can continue: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req: entering debug2: input_userauth_info_req: num_prompts 1 ([email protected]) Verification code: debug3: send packet: type 61 debug3: receive packet: type 51 debug1: Authentications that can continue: keyboard-interactive debug2: we did not send a packet, disable method debug1: No more authentication methods to try. [email protected]: Permission denied (keyboard-interactive). On the Mac Mini:
journalctl --since "2 minutes ago" Jul 09 07:20:18 docker1 sshd(pam_google_authenticator)[10989]: Failed to read "/home/david/.google_authenticator" for "david" Jul 09 07:20:18 docker1 sshd(pam_google_authenticator)[10989]: No secret configured for user david, asking for code anyway. Jul 09 07:20:25 docker1 sshd(pam_google_authenticator)[10989]: Invalid verification code for david Jul 09 07:20:25 docker1 sshd[10987]: error: PAM: Authentication failure for david from 192.168.4.6 Jul 09 07:20:25 docker1 sshd(pam_google_authenticator)[10993]: Failed to read "/home/david/.google_authenticator" for "david" Jul 09 07:20:25 docker1 sshd(pam_google_authenticator)[10993]: No secret configured for user david, asking for code anyway. Jul 09 07:20:33 docker1 sshd(pam_google_authenticator)[10993]: Invalid verification code for david Jul 09 07:20:33 docker1 sshd[10987]: error: PAM: Authentication failure for david from 192.168.4.6 Jul 09 07:20:33 docker1 sshd(pam_google_authenticator)[10996]: Failed to read "/home/david/.google_authenticator" for "david" Jul 09 07:20:33 docker1 sshd(pam_google_authenticator)[10996]: No secret configured for user david, asking for code anyway. Jul 09 07:20:42 docker1 sshd(pam_google_authenticator)[10996]: Invalid verification code for david Jul 09 07:20:42 docker1 sshd[10987]: error: PAM: Authentication failure for david from 192.168.4.6 Jul 09 07:20:42 docker1 sshd[10987]: Connection closed by authenticating user david 192.168.4.6 port 52983 [preauth] I then ran ls -asl inside /home/david/ and realised /home/david/.google_authenticator doesn't even exist.
Some more Googling, eventually I found this and realised that I ran the Google Authenticator configuration/setup when logged in as the root user, not the david user. Checking /root/, I found the .google_authenticator file in there. I hadn't realised that the Google Authenticator configuration was supposed to be run as the user that needs that authentication method. In hindsight, if I had actually used my eyes, this should've been obvious, because the description for the code in the Google Authenticator app shows root@hostname, not david@hostname.
su david google-authenticate (Answer yes to everything and create a new code) I then tried to log in once more, and this time, I was asked for the passphrase and the Google Authenticator code, and I was able to log in successfully.
