Monday Oct 10, 2016

Requiring both Public Key (or GSSAPI/Kerberos) and OTP for OpenSSH

I've had two conversations recently on how to configure OpenSSH to require public key or gssapi as well as OTP but the users UNIX password.  The way to do this isn't completely obvious unless you know how OpenSSH and PAM interact. On Oracle Solaris we have an additional patch to OpenSSH that allows for per SSH userauth PAM stacks, the configuration below takes advantage of this.

When OpenSSH authenticates the user using either pubkey or GSSAPI it does not call pam_authenticate(3PAM), there is no path to communicate with the user when using those userauth methods so there is nothing to be gained from asking PAM.  However to use OTP we need to communicate with the user.  So we need to configure both sshd and our PAM stack.  OpenSSH has a very useful feature here where we can require multiple of the SSH userauth methods to pass.

Add the OTP PAM module: pkg install otp (Note this is only available in the Solaris 11.3 /support repository not /release)

Configure OTP for the user using otpadm, for example:

$ otpadm set secret
New TOTP secret=N4CE V67C CJKW 5LF3 735V WGJB QL3V FMY7
Enter current code from authenticator: 
Enter the TOTP secret into your OTP token device, this could be an application on your phone such as Google Authenticator. You also need to enter the current value of the token to confirm you configured the device correctly. If you are using a device such as the YubiKey Neo you must configure HOTP instead of TOTP eg:
$ otpadm set mode=counter secret
New HOTP secret=3U7O YHLS NXNB R4YA FG44 KNKO HUC6 EWJ4
Enter current code from authenticator:

Now confiure OpenSSH in /etc/ssh_sshd_config:

AuthenticationMethods publickey,keyboard-interactive

Or in the case of requiring GSSAPI (Kerberos credentials):

AuthenticationMethods gssapi-with-mic,keyboard-interactive

Then create /etc/pam.d/sshd-kbdint with the following content:

    
auth required pam_unix_cred.so.1
auth required pam_otp_auth.so.1

With the above configuration all users will be required to do SSH with pubkey (or gssapi)  and will be prompted for an OTP tooken. So lets see what this looks like from the users view, I'm going to use the GSSAPI case but it will be similar for pubkey:

$ ssh server.example.com
Permission denied (gssapi-with-mic).
$ kinit 
Password for darren@EXAMPLE.COM:
$ ssh server.example.com
OTP code: 

How do we know that gssapi was used though ? We can look at the debug output by adding -v to the ssh invocation on the client and we will see output that looks like this:

  
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive

In the pubkey case the output would be very similar (the first line would say pubkey instead of gssapi-with-mic). If you don't need the above configuration for all users you can use the Match block directive in sshd_config and/or the pam_user_policy facility in Solaris to select which users require the multiple factors.

Updated Friday 10th Feb 2017 to show Solaris pam_otp_auth module rather than Google's PAM module.


About

Darren Moffat-Oracle

Search


Categories
Archives
« April 2017
MonTueWedThuFriSatSun
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
       
Today