Apparently others got this to work on rocky 8.8. I followed this Setup SSH with MFA and two other guides on how to configure it, and like the tittle states, when ssh -ing it logs right in never asking for a security code from the mobile phone.
version: 5.14.0-284.11.1.el9_2.x86_64
line added to : /etc/pam.d/sshd
auth required pam_google_authenticator.so
lines addes to: /etc/ssh/sshd_config
…
ChallengeResponseAuthentication yes
UsePAM yes
…
Match all
AuthenticationMethods publickey
Apparently the three guides followed have worked with previous versions but not the one I have. Any help would be appreciated. Thank you
Thanks for replying linde. To my surprise it prompted me for the code after adding the “keyboard-interactive”. I say to may surprise because I am also sure I try that before with no luck.
I am still not out of the wood with this because now instead of login me in it says:
OK, so I haven’t read through the tutorial you linked in detail, so I’m not sure if they covered this, but the keyboard-interactive method in the ssh config is responsible for handling both the regular password and the OTP, so if your goal is to use a key+OTP to log in without prompting for a standard password, then you’ll need some extra PAM configuration.
What I did to accomplish this was to use the package pam_ssh_user_auth and a line in /etc/pam.d/sshd.
Below are my first two auth lines from /etc/pam.d/sshd. Note that the order is important.
# Number after "success" is number of modules to jump over
# If user has an authorized ssh key, skip past the regular password to the OTP
auth [success=1 ignore=ignore default=die] pam_ssh_user_auth.so
auth substack password-auth
Hi Evan,
Following your last post, now I am only using key+OTP, ssh is not asking for a password anymore which is fine. Sadly still I can’t get pass the authentication. I tried google authenticator and a different phone app and I end up at the same spot:
I am able to go past this when configuring google-autenticator when scanning the QR code:
Enter code from app (-1 to skip): 279667 Code confirmed Your emergency scratch codes are:
39879257*
53499218*
55403285*
66189138*
49491847*
Do you want me to update your “/home/anoriega/.google_authenticator” file? (y/n) y
Because the code appears to work when configuring google-authenticator. I don’t understand why it would not work after that. Could something be blocking the exchange? Why would the code make it through just one time? Just thinking out loud.
/var/log/secure and /var/log/audit/audit.log are the most likely places for relevant log info – my guess is it’s most likely a permission or SELinux issue. Temporarily setting SELinux to permissive mode may be the quickest troubleshooting option.
My setup was with pam_oath instead of google-authenticator and I had to set some custom selinux policy to allow the behavior required for everything to work.
Thank you much again for replying. Because of circumstances it will be a few days before I am able to try again. However, it makes sense that after adding firewall rules it should work. I have tendency to forget about SELinux.