|
|
(4 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
| == Configure OpenSSH to use PAM==
| | #REDIRECT[[HOWTO OpenSSH 2FA with password and Google Authenticator]] |
| OpenSSH allows us to configure PAM to handle authentication duties, working nicely with the {{pkg|google-authenticator}} package.
| |
| | |
| {{cmd|# apk add google-authenticator openssh-server-pam}}
| |
| | |
| First, configure the SSH daemon to use PAM authentication:
| |
| {{cmd|# cat /etc/ssh/sshd_config}}
| |
| <pre>
| |
| AuthenticationMethods publickey,keyboard-interactive
| |
| ChallengeResponseAuthentication yes
| |
| PermitRootLogin yes
| |
| UsePAM yes
| |
| </pre>
| |
| {{Note|This configuration does NOT allow password authentication globally}}
| |
| | |
| Then, configure pam by adding the following lines, enabling google-authenticator as the package handling authentication:
| |
| | |
| * For Alpine 3.14 or newer:<br>
| |
| {{cmd|# cat /etc/pam.d/sshd.pam #create the file if needed}}
| |
| * For Alpine 3.13 or older:
| |
| {{cmd|# cat /etc/pam.d/sshd #create the file if needed}}
| |
| <pre>
| |
| account include base-account
| |
| | |
| auth required pam_env.so
| |
| auth required pam_nologin.so successok
| |
| auth include google-authenticator
| |
| </pre>
| |
| | |
| == Time-based One Time Password authentication (TOTP RFC 6238) ==
| |
| As user root:
| |
| {{cmd|# google-authenticator}}
| |
| {{Note|Please take note of <secret>}}
| |
| <pre>
| |
| Do you want authentication tokens to be time-based (y/n) y
| |
| https://www.google.com/<pruned>
| |
| Your new secret key is: <secret>
| |
| Your verification code is <pruned>
| |
| Your emergency scratch codes are:
| |
| <pruned>
| |
| <pruned>
| |
| <pruned>
| |
| <pruned>
| |
| <pruned>
| |
| | |
| Do you want me to update your "/root/.google_authenticator" file? (y/n) y
| |
| | |
| Do you want to disallow multiple uses of the same authentication
| |
| token? This restricts you to one login about every 30s, but it increases
| |
| your chances to notice or even prevent man-in-the-middle attacks (y/n) n
| |
| | |
| By default, tokens are good for 30 seconds. In order to compensate for
| |
| possible time-skew between the client and the server, we allow an extra
| |
| token before and after the current time. If you experience problems with
| |
| poor time synchronization, you can increase the window from its default
| |
| size of +-1min (window size of 3) to about +-4min (window size of
| |
| 17 acceptable tokens).
| |
| Do you want to do so? (y/n) n
| |
| | |
| If the computer that you are logging into isn't hardened against brute-force
| |
| login attempts, you can enable rate-limiting for the authentication module.
| |
| By default, this limits attackers to no more than 3 login attempts every 30s.
| |
| Do you want to enable rate-limiting (y/n) n
| |
| </pre>
| |
| | |
| {{Tip|You might want to answer differently at questions 2, 3 and 4 based on your paranoia's level and firewall settings :)}}
| |
| | |
| Re-run <code>google-authenticator</code> for each user that needs to login via SSH. Don't forget to include <code>.google_authenticator</code> files in your [[Alpine_local_backup|LBU]] if you're running from RAM.
| |
| | |
| == Authentication token ==
| |
| Download '''Google Authenticator''' app from your ''App Store''. Startup '''Google Authenticator''' app and enter manually your <secret> key.
| |
| | |
| == Login ==
| |
| {{cmd|$ ssh -v root@yourbox}}
| |
| You should see the last lines saying:
| |
| <pre>
| |
| Authenticated with partial success.
| |
| debug1: Authentications that can continue: keyboard-interactive
| |
| debug1: Next authentication method: keyboard-interactive
| |
| Verification code:
| |
| </pre>
| |
| <code>Authenticated with partial success</code> means that pubkey authentication was successful and now the verifier is asking for the verification code generated from the '''Google Authenticator''' app.
| |
| | |
| [[Category:Authentication]]
| |