Configured MFA for ssh but prompt to enter code from app never comes up

Apparently others got this to work on rocky 8.8. I followed this Setup SSH with MFA and two other guides on how to configure it, and like the tittle states, when ssh -ing it logs right in never asking for a security code from the mobile phone.

version: 5.14.0-284.11.1.el9_2.x86_64

line added to : /etc/pam.d/sshd
auth required

lines addes to: /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
UsePAM yes

Match all
AuthenticationMethods publickey

Apparently the three guides followed have worked with previous versions but not the one I have. Any help would be appreciated. Thank you

Your ssh configuration lines:

Match all
AuthenticationMethods publickey

will allow a public key (by itself) to be enough to log in.

According to the tutorial, you should have:

Match all
AuthenticationMethods publickey,keyboard-interactive

Thanks for replying linde. To my surprise it prompted me for the code after adding the “keyboard-interactive”. I say to may surprise because I am also sure I try that before with no luck.
I am still not out of the wood with this because now instead of login me in it says:

(anoriega@IP) Password:
(anoriega@IP) Verification code:
(anoriega@IP) Password:
(anoriega@IP) Verification code:
(anoriega@IP) Password:
(anoriega@IP) Verification code:
anoriega@IP: Permission denied (keyboard-interactive).

I don’t know if that means the code is incorrect or I am missing another setting.
Again, thank you much for your help

OK, so I haven’t read through the tutorial you linked in detail, so I’m not sure if they covered this, but the keyboard-interactive method in the ssh config is responsible for handling both the regular password and the OTP, so if your goal is to use a key+OTP to log in without prompting for a standard password, then you’ll need some extra PAM configuration.

What I did to accomplish this was to use the package pam_ssh_user_auth and a line in /etc/pam.d/sshd.

Below are my first two auth lines from /etc/pam.d/sshd. Note that the order is important.

# Number after "success" is number of modules to jump over
# If user has an authorized ssh key, skip past the regular password to the OTP
auth       [success=1 ignore=ignore default=die]
auth       substack     password-auth
1 Like

Hi Evan,
Following your last post, now I am only using key+OTP, ssh is not asking for a password anymore which is fine. Sadly still I can’t get pass the authentication. I tried google authenticator and a different phone app and I end up at the same spot:

(anoriega@IP) Verification code:
(anoriega@IP) Verification code:
(anoriega@IP) Verification code:
anoriega@IP: Permission denied (keyboard-interactive).

I am able to go past this when configuring google-autenticator when scanning the QR code:

Enter code from app (-1 to skip): 279667
Code confirmed
Your emergency scratch codes are:

  • 39879257*
  • 53499218*
  • 55403285*
  • 66189138*
  • 49491847*

Do you want me to update your “/home/anoriega/.google_authenticator” file? (y/n) y

Because the code appears to work when configuring google-authenticator. I don’t understand why it would not work after that. Could something be blocking the exchange? Why would the code make it through just one time? Just thinking out loud.

/var/log/secure and /var/log/audit/audit.log are the most likely places for relevant log info – my guess is it’s most likely a permission or SELinux issue. Temporarily setting SELinux to permissive mode may be the quickest troubleshooting option.

My setup was with pam_oath instead of google-authenticator and I had to set some custom selinux policy to allow the behavior required for everything to work.

Thank you much again for replying. Because of circumstances it will be a few days before I am able to try again. However, it makes sense that after adding firewall rules it should work. I have tendency to forget about SELinux.

I will report back eventually.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.