amigan_99
asked on
SSH to Linux Host with PIN 2 Factor MS Auth
I am trying to add 2 factor authentication on a linux host. It is sending a radius request to
a MS radius server which is somehow connected to MS authenticator app which I have
on my iPhone. I have it working to where if I ssh to the linux host with my AD UID and PW
a message goes to my Authenticator app on the I phone which I confirm. And then I'm in.
BUT - some of my colleagues have Authenticator setup so that they get a PIN rather than
just a confirmation number. Is there a way for SSH to work with this variant of 2factor
authentication with MS Authenticator app?
a MS radius server which is somehow connected to MS authenticator app which I have
on my iPhone. I have it working to where if I ssh to the linux host with my AD UID and PW
a message goes to my Authenticator app on the I phone which I confirm. And then I'm in.
BUT - some of my colleagues have Authenticator setup so that they get a PIN rather than
just a confirmation number. Is there a way for SSH to work with this variant of 2factor
authentication with MS Authenticator app?
The setup for that must be completely within the radius domain.
SSH asks user for username, password and does (using pam module probably) a Radius request (only ONE, with all info username, password, ...) is done and the answer is Accept or Deny and is the final verdict. (There is no other interaction on Radius, no conversation).
The Radius server decides how to resolve the given username, password (and possibly other info) in your case it decides to connect your Iphone, for the others it appearantly request more info through other means. So inspect the Radius server config / AD LDAP tree for differences between the accounts to find out how to solve this.
SSH asks user for username, password and does (using pam module probably) a Radius request (only ONE, with all info username, password, ...) is done and the answer is Accept or Deny and is the final verdict. (There is no other interaction on Radius, no conversation).
The Radius server decides how to resolve the given username, password (and possibly other info) in your case it decides to connect your Iphone, for the others it appearantly request more info through other means. So inspect the Radius server config / AD LDAP tree for differences between the accounts to find out how to solve this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm not sure there is an out the box solution for this, however you can setup ssh key-authentication in conjunction with MFA.
Cheers