Skip to main content

Configuring SSH MFA

Configuring SSH 2FA for Linux

  1. use the command ssh Key gen

  2. To transfer keys, please use the below command

cat ~/.ssh/id_rsa.pub | ssh ubuntu@instance-name "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Configuring Authnull PAM Authenticator for SSH Login

  1. Login into any VM and check out the pam.so file and did.sh script from this https://authnull.com/downloads

    Note : Please make sure if you are downloading the right object file when using the wget option on shared drive path and not the HTML contents

  2. Please move the pam_authenticator.so file into /usr/local/lib/security path (if “security” folder is not available, please create it), and also move the did.sh to / path (root path) (and provide right permissions if required)

  3. Please add the below lines at end of the file for /etc/pam.d/sshd

    auth required /usr/local/lib/security/pam_authenticator.so debug nullok auth required pam_permit.so Comment #@include common-auth - This will exclude /etc/pam.d/common-auth file

  4. For SSH Key authentication:

    Please add the below lines at the end of the sshd_config file. Path: /etc/ssh/sshd_config

    AuthenticationMethods publickey,keyboard-interactive KbdInteractiveAuthentication yes

  5. Please restart the ssh service

    sudo systemctl restart sshd

  6. Now login to the VM using ssh

    ssh ubuntu@instance-name

    a. Please enter the passphrase for privateKey (Make sure the public key is placed inside $HOME/.ssh/authorized_keyspath).

    b. DID Authentication will initiate DID Assertion DoAuthentication Request → Please check the logs from /var/log/auth.log file (for ubuntu based), and /var/log/secure (centos based)

  7. Following are the issues that you may encounter while running the .so file from logs:

    a. PAM(header) not found

    1. On the Centos and RHEL -build VMs, install the pam-devel package: sudo yum install pam-devel
    2. On all the Debian/Ubuntu -build virtual machines, install libpam0g-dev: sudo apt-get install libpam0g-dev

    b. Autoconf not installed/found

    apt-get install autoconf automake gdb git libffi-dev zlib1g-dev libssl-dev (Debian /ubuntu)

    Note: To ignore any user group without using AuthNull custom pam authentication, please configure the below in /etc/pam.d/sshd (The below will exclude users in group tempmfa to login without mfa AuthNull pam)

    auth [success=done default=ignore] pam_succeed_if.so user ingroup tempmfa