I'm trying to set Google-Authenticator (google 2 factor authentication).
The relevant files are:
[root@srv01 ~]# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_google_authenticator.so auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth [root@srv01 ~]# egrep -v '^#' /etc/ssh/sshd_config | sed '/^$/d' Protocol 2 SyslogFacility AUTHPRIV PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server UsePAM yes Match Address 10.13.0.* PermitRootLogin yes PasswordAuthentication yes Following the guides over the internet, in order to enable Google-2fa you need to edit /etc/pam.d/sshd and add this line:
auth required pam_google_authenticator.so And then you need to edit /etc/ssh/sshd_config and change these lines as follows:
PasswordAuthentication no ChallengeResponseAuthentication yes In my case, Google 2FA works and allows the users which have configured google-authenticator to login by providing both OTP and password but when I try to connect to root user on the machine from a machine in the same network my password is rejected (even though it's the correct password). When I try to connect to root@machine the issue looks like so:
Using username "root". Using keyboard-interactive authentication. Password: Access denied Using keyboard-interactive authentication. Password: And in /var/log/secure:
sshd(pam_google_authenticator)[10990]: Failed to read "/root/.google_authenticator" I never ran google_authenticator on root's user so I don't know why it's looking for it.
What I'm trying to achieve is as follows:
I want that "PermitRootLogin" will be set to "no" globally (when connecting to the server from the outside world), but that it will be set to "yes" if the remote machine IP Matches the rule which specifies the local network (as can be seen in the configuration file).
I want the users which configured google-2fa to still be able to log in by providing both OTP and password.
It could be that the line in /etc/pam.d/sshd is misplaced but I'm not sure where I should place it.
Anyone knows how to make it work with these rules?
