asked on Google two-factor authentication not working on my Ubuntu 14.04 LAMP server
Hi,
I have a Ubuntu 14.04 x64 server and I followed all your steps.
Since I have only one user on my server (I have disabled root login) and I already do an SSH login with that username, I ran the google-authenticator command logged in as user lupocatttivo@octane (lupocatttivo = username, octane = machine name):
The only change I made is to the command: /etc/init.d/ssh restart
I used sudo service ssh restart instead as the above command did nothing (with or without "sudo" in front of it).
The procedure seemed to run smoothly, including the qr code generation etc. Then I rebooted the server and when asked to login I entered the username "lupocatttivo" and it logged in as usual without asking me any other code or pasword:
What am I doing wrong? Any help would be appreciated.
Thanks in advance
I have a Ubuntu 14.04 x64 server and I followed all your steps.
Since I have only one user on my server (I have disabled root login) and I already do an SSH login with that username, I ran the google-authenticator command logged in as user lupocatttivo@octane (lupocatttivo = username, octane = machine name):
lupocatttivo@octane:~$ google-authenticator
The only change I made is to the command: /etc/init.d/ssh restart
I used sudo service ssh restart instead as the above command did nothing (with or without "sudo" in front of it).
The procedure seemed to run smoothly, including the qr code generation etc. Then I rebooted the server and when asked to login I entered the username "lupocatttivo" and it logged in as usual without asking me any other code or pasword:
login as: lupocatttivo
Authenticating with public key "my-home-pc"
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.15.4-x86_64-linode45 x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Thu Aug 14 02:20:31 2014
What am I doing wrong? Any help would be appreciated.
Thanks in advance
Linux DistributionsLinuxLinux Security
Last Comment
badwolfff
Did you register yourself for the Ubuntu 2 factor authentication beta test?
According to this article: https://help.ubuntu.com/community/SSO/FAQs/2FA you need to register yourself for the beta test here: https://launchpad.net/~sso-2f-testers
According to this article: https://help.ubuntu.com/community/SSO/FAQs/2FA you need to register yourself for the beta test here: https://launchpad.net/~sso-2f-testers
ASKER
Hi,
No I did not register but I don't see any direct connection between registering on a forum and having a software behave on a server. Plus on the website you indicate the description starts with:
"Two factor authentication increases computer security further than just a user name and password. In addition to a password (the first factor) you need something else in order to access a system. "
If I am not mistaken, it means the first layer is comprised of login + password and the second is Google authentication.
There is no mention at all of any compatibility with SSH public key authentication.
Please correct me if I am wrong.
thanks again
No I did not register but I don't see any direct connection between registering on a forum and having a software behave on a server. Plus on the website you indicate the description starts with:
"Two factor authentication increases computer security further than just a user name and password. In addition to a password (the first factor) you need something else in order to access a system. "
If I am not mistaken, it means the first layer is comprised of login + password and the second is Google authentication.
There is no mention at all of any compatibility with SSH public key authentication.
Please correct me if I am wrong.
thanks again
>> Please correct me if I am wrong.
I will do some testing as well and let you know.
I will do some testing as well and let you know.
You're right, registration is not needed. I've configured a VM with Ubuntu 14.04 and then did the following:
$ sudo apt-get install libpam-google-authenticato
$ google-authenticator
( answered all questions with Yes, scanned the QR code with my phone that has the Google Authenticator app installed, added gerwin@ub1404test)
Installed lightdm through Ubuntu Software Center (for testing).
# cd /etc/pam.d
# vi lightdm
( added: auth required pam_google_authenticator.s
Restarted and logged on with user and password, then got prompt for authentication code, looked up the current code on my phone and the logon worked.
For ssh I had to change 2 things:
# cd /etc/pam.d
# vi sshd
( added: auth required pam_google_authenticator.s
# cd /etc/ssh
# vi sshd_config
( edited: ChallengeResponseAuthentic
# service sshd restart
The tried logging in with PuTTy to the VM Ubuntu machine which worked:
![2 factor authentication in Ubuntu 14.04]()
Note that if you leave out the nullok at the end of the auth config line then the users must use 2 factor authentication.
$ sudo apt-get install libpam-google-authenticato
$ google-authenticator
( answered all questions with Yes, scanned the QR code with my phone that has the Google Authenticator app installed, added gerwin@ub1404test)
Installed lightdm through Ubuntu Software Center (for testing).
# cd /etc/pam.d
# vi lightdm
( added: auth required pam_google_authenticator.s
Restarted and logged on with user and password, then got prompt for authentication code, looked up the current code on my phone and the logon worked.
For ssh I had to change 2 things:
# cd /etc/pam.d
# vi sshd
( added: auth required pam_google_authenticator.s
# cd /etc/ssh
# vi sshd_config
( edited: ChallengeResponseAuthentic
# service sshd restart
The tried logging in with PuTTy to the VM Ubuntu machine which worked:
Note that if you leave out the nullok at the end of the auth config line then the users must use 2 factor authentication.
ASKER
Hi Gerwin,
thanks for going through all this trouble for me!
So let me get this straight.
I ask this as on my box I have passwordauthentication turned to OFF at the moment. Do I need to turn it on?
$ sudo apt-get install libpam-google-authenticato
$ google-authenticator
Answered all with yes, scan code with iPhone Google Auth app
# cd /etc/pam.d
# vi lightdm
insert into it:
auth required pam_google_authenticator.s
# cd /etc/pam.d
# vi sshd
insert into it:
auth required pam_google_authenticator.s
# cd /etc/ssh
# vi sshd_config
change to:
ChallengeResponseAuthentic
# service sshd restart
Sorry about the pedantic, long-winded question but I can hardly believe you managed to do it. On two other fora I had no success, I even wrote to google and tried to search everywhere for an answer. If you could please confirm all of the above, I can get down to it straight away :D
thanks again
thanks for going through all this trouble for me!
So let me get this straight.
1.
I don't see that from your screenshot so I am assuming you got the SSH public key auth working together with Google Two-Factor Authentication. Am I right?2.
If yes, then did you get asked first the login, then the password and then the google auth code, or just the login and the google auth key?I ask this as on my box I have passwordauthentication turned to OFF at the moment. Do I need to turn it on?
3.
May I review the procedure for you to confirm?:$ sudo apt-get install libpam-google-authenticato
$ google-authenticator
Answered all with yes, scan code with iPhone Google Auth app
# cd /etc/pam.d
# vi lightdm
insert into it:
auth required pam_google_authenticator.s
# cd /etc/pam.d
# vi sshd
insert into it:
auth required pam_google_authenticator.s
# cd /etc/ssh
# vi sshd_config
change to:
ChallengeResponseAuthentic
# service sshd restart
Sorry about the pedantic, long-winded question but I can hardly believe you managed to do it. On two other fora I had no success, I even wrote to google and tried to search everywhere for an answer. If you could please confirm all of the above, I can get down to it straight away :D
thanks again
>> thanks for going through all this trouble for me!
No problem at all ;)
>> I don't see that from your screenshot so I am assuming you got the SSH public key auth working together with Google Two-Factor Authentication. Am I right?
No, I did not setup ssh public keys yet, I'll give it a go. The screenshot shows that I'm keyboard-interactive authentication, so I'm just typing the password. And the verification code after that (Google Authenticator).
>> I have passwordauthentication turned to OFF
Where did you turn that off exactly?
>> May I review the procedure for you to confirm?:
- Your iPhone is my Android device
- The 2 inserts - I just added the lines at the end of the 2 config files.
Going to setup ssh keys, get back to you after that.
No problem at all ;)
>> I don't see that from your screenshot so I am assuming you got the SSH public key auth working together with Google Two-Factor Authentication. Am I right?
No, I did not setup ssh public keys yet, I'll give it a go. The screenshot shows that I'm keyboard-interactive authentication, so I'm just typing the password. And the verification code after that (Google Authenticator).
>> I have passwordauthentication turned to OFF
Where did you turn that off exactly?
>> May I review the procedure for you to confirm?:
- Your iPhone is my Android device
- The 2 inserts - I just added the lines at the end of the 2 config files.
Going to setup ssh keys, get back to you after that.
ASKER
sudo nano /etc/ssh/sshd_config
PasswordAuthentication no
PermitRootLogin no
My settings are as above
thanks again
PasswordAuthentication no
PermitRootLogin no
My settings are as above
thanks again
Hmm, with ssh keys setup, I also get no prompt for the verification code. Found a sample (same forum you looked probably) with OATH and Google 2FA - did not get this to work yet with ssh-keys and 2FA. Will do some more investigating. For now, using keyboard-interactive, I get the 2FA and for the GUI login in Ubuntu. Not for ssh keys (yet).
ASKER
There you are! This however does not correspond with so many online tutorials! Either most people are just talking through their hats and this doesn't work or it is time someone found out how :)
thanks
thanks
Did some more testing, got a configuration that lets met use ssh keys together with password + verification code. Not ssh keys + verification code only. Manual off sshd_config says that there must be a possibility by using AuthenticationMethods (which I used for the test above):
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config&sec=5
Think that I have to configure the pam for google-authenticator like this:
AuthenticationMethods publickey,keyboard-interac
where the pam must refer to the google-authenticator.
I did not manage to get this working as of yet.
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config&sec=5
Think that I have to configure the pam for google-authenticator like this:
AuthenticationMethods publickey,keyboard-interac
where the pam must refer to the google-authenticator.
I did not manage to get this working as of yet.
ASKER
Thanks
The damn problem is that in theory it should work...
The damn problem is that in theory it should work...
Correct, found a guy that claims it is working, not much different with what I've tried sofar but doesn't work (for me).
ASKER
Is it different from what we've been doing?
It seems he's added a couple more params in the config file like:
PermitEmptyPasswords no
UsePAM yes
AuthenticationMethods publickey,keyboard-interac
and also in in /etc/pam.conf he's specified the .so path more precisely
sshd auth required /ec/lib/security/pam_googl
I'll try this out too, perhaps his details make the differnece.
Compare notes later?
thanks
It seems he's added a couple more params in the config file like:
PermitEmptyPasswords no
UsePAM yes
AuthenticationMethods publickey,keyboard-interac
and also in in /etc/pam.conf he's specified the .so path more precisely
sshd auth required /ec/lib/security/pam_googl
I'll try this out too, perhaps his details make the differnece.
Compare notes later?
thanks
I've tried the setting in pam.conf (with the correct path) and the other parameters as well, no effect. I'll see if I can find some help from OpenSSH, or maybe just try the same setup with Fedora.
ASKER
Yes you are right. I tried it just now too and the damn SSH key bypasses all other types of authentication.
In fact I even set passwordAuthentication to yes and rebooted the server, but still no password was asked.
Instead when I start putty, If I try to login as a user that does not have an SSH Key (for example, root user, even though in my case the root login is off), then I get asked password as well as the google key (with or without passwordAuthentication set to off). Of course, since my root user is disabled, I get asked all this but then it fails.
So I don't know if my experiments add anything to yours but that's what I found out.
In fact I even set passwordAuthentication to yes and rebooted the server, but still no password was asked.
Instead when I start putty, If I try to login as a user that does not have an SSH Key (for example, root user, even though in my case the root login is off), then I get asked password as well as the google key (with or without passwordAuthentication set to off). Of course, since my root user is disabled, I get asked all this but then it fails.
So I don't know if my experiments add anything to yours but that's what I found out.
I've tested on Fedora (20) as well, same issue there. It looks to me like these are the possibilities:
(with google authenticator enabled)
1 - (password + verification code)
2 - ssh keys
3 - ssh keys + (password + verification code)
I'm thinking (opinion) that option 1 would give you perfect 2 factor authentication whereas option 3 would be a bit 'too much'. Your desired option would be this:
4. ssh keys + (verification code)
For option 4 I've been doing some investigation and found no working solution sofar even where the OpenSSH documentation mentions that with the option AuthenticationMethods this combination can be used: publickey,keyboard-interac
Did you do some further testing? What are your thoughts on this? I'd like to know if that 4th option is possible but that would require posting questions at google or OpenSSH to gather details, this will take some time (tbd).
(with google authenticator enabled)
1 - (password + verification code)
2 - ssh keys
3 - ssh keys + (password + verification code)
I'm thinking (opinion) that option 1 would give you perfect 2 factor authentication whereas option 3 would be a bit 'too much'. Your desired option would be this:
4. ssh keys + (verification code)
For option 4 I've been doing some investigation and found no working solution sofar even where the OpenSSH documentation mentions that with the option AuthenticationMethods this combination can be used: publickey,keyboard-interac
Did you do some further testing? What are your thoughts on this? I'd like to know if that 4th option is possible but that would require posting questions at google or OpenSSH to gather details, this will take some time (tbd).
ASKER
Thank you so much for all your effort. I wrote to google but got no reply. I have come across an equivalent alternative. If you are available we could both test and see if that works:
https://www.digitalocean.com/community/tutorials/how-to-install-authy-and-configure-two-factor-authentication-for-ssh
The basic modus operandi is similar. Also since I use winscp as ftp I believe, or so it appears, that there might be a solution for logging into the sftp even with this second-factor auth: https://github.com/authy/authy-ssh#scp-mosh-and-git-push-with-two-factor-authentication
I think I will test it tomorrow when I get back in office. If you, in the meantime, would like to give it a whiz since you already have the environment all setup, by all means please do so. It would be great to find out if this works.
As per the last test you did, of all the combinations I tried the only ones I could manage to make work were:
1. SSH key and nothing else
2. Password + google authcode
I never got it to work as SSH KEY + PASSWORD + GOOGLE AUTH CODE. When I had the ssh public key active, with our without password set as active Putty still bypassed all other forms. Did you have different results? I say so only because, eventhough it might be overkill, if it worked it would be great. It'd be like having a three-factor auth then. Any ideas?
https://www.digitalocean.com/community/tutorials/how-to-install-authy-and-configure-two-factor-authentication-for-ssh
The basic modus operandi is similar. Also since I use winscp as ftp I believe, or so it appears, that there might be a solution for logging into the sftp even with this second-factor auth: https://github.com/authy/authy-ssh#scp-mosh-and-git-push-with-two-factor-authentication
I think I will test it tomorrow when I get back in office. If you, in the meantime, would like to give it a whiz since you already have the environment all setup, by all means please do so. It would be great to find out if this works.
As per the last test you did, of all the combinations I tried the only ones I could manage to make work were:
1. SSH key and nothing else
2. Password + google authcode
I never got it to work as SSH KEY + PASSWORD + GOOGLE AUTH CODE. When I had the ssh public key active, with our without password set as active Putty still bypassed all other forms. Did you have different results? I say so only because, eventhough it might be overkill, if it worked it would be great. It'd be like having a three-factor auth then. Any ideas?
I never got it to work as SSH KEY + PASSWORD + GOOGLE AUTH CODE. When I had the ssh public key active, with our without password set as active Putty still bypassed all other forms. Did you have different results? I say so only because, eventhough it might be overkill, if it worked it would be great. It'd be like having a three-factor auth then. Any ideas?Will post you the details of my setup later today.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Yes, o god yes! It works! :)
You are a genius!
Thanks for your persistence!
You are a genius!
Thanks for your persistence!
ASKER
For the sake of everyone else's benefit, neither of us got the two-factor auth working for SSH Key + Google code.
As I have it now, it is a three-factor authentication, perhaps even more secure than any other possible combination:
ssh public key + google auth code + password.
In addition to Gerwin's notes whosoever desiring to achieve the same results, should follow the tutorial here:
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication
Should anyone manage the SSH key + google auth (without password) please write here as I remain curious.
As I have it now, it is a three-factor authentication, perhaps even more secure than any other possible combination:
ssh public key + google auth code + password.
In addition to Gerwin's notes whosoever desiring to achieve the same results, should follow the tutorial here:
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication
Should anyone manage the SSH key + google auth (without password) please write here as I remain curious.
https://code.google.com/p/google-authenticator/issues/detail?id=40
Please someone comment. Has no one had any similar problem?
Entering into my server without the private key is impossible but if that got stolen it is easy.
I wanted to have that level of protection and add a second layer on top by inserting a google authenticator code.
Together it would be impossible for someone to get in.
If this is impossible, are there any other suggestions to create a two factor-authentication using any other reliable method that might work on Ubuntu 14.04 and work alongside SSH Key-based authentication?
thanks in advance