ETOOBUSY 🚀 minimal blogging for the impatient
I figured that two-factors authentications can be enabled in OpenSSH.
Like most of the things that I figure out, it was no secret around and I found plenty of tutorials and how-to-s once I managed to articulate my need to a search engine.
One useful guide I found is this article in Linode, which has to be followed with a grain of salt though, especially if we want to stick with public key authentication and the TOTP-based second factor. The things in the page are correct, but the instructions for the public-key part assume that the configuration for plain password authentication were already done too, which might not be the case if we’re aiming for key or certificate-based login as the first factor.
google-authentication, which in Debian boils down
# optionally... apt upgrade
apt install google-authenticator
google-authenticator program should be run and the page in
Linode does an excellent job at describing the
steps and providing suggested values.
Then we have the configuration part. In the Pluggable Authentication
Modules configuration for
sshd, available at
must disable plain password authentication and add the
# around the beginning of the file, comment the following line if not
# already commented out:
# @include common-auth
# then, around the bottom, *add* the following if not already there:
auth required pam_google_authenticator.so
NOTE before messing up with
sshd_configit’s hightly suggested to have a second connection to the target, in order to correct errors in case of failures.
OK, so now every time PAM is used by sshd we should pass through
google_authenticator. Still, we have to say this to
sshd, so in
We already saw the AuthenticationMethods… comma! This here means
first require public key authentication, and after is succeeds use
whatever is fine with PAM (that is,
After restring the daemon things should be set up:
# first make sure that everything's fine with sshd_config
sudo systemctl reload ssh
Last, it’s possible to restrict this to users or groups only, it will be
sufficient to move the
AuthenticationMethods configuration in an
ad-hoc section of
# plain users are OK with public-key authentication only
# others... need a bit more kick
Match User foobar
And after this… stay safe, folks!