Problem with MFA Activation

oksiazek · April 14, 2023, 8:46am

Hi ,

I’m trying to activate MFA on my system but once I’m configuring the keyboard-interactive methods , it is not allowed and so my sshd service won’t restart .

What I’m doing wrong ???

Here is the update that I have made to /etc/ssh/sshd_config file

PermitRootLogin no
PubkeyAuthentication yes
IgnoreRhosts yes
PasswordAuthentication yes
PermitEmptyPasswords no
KbdInteractiveAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

The /etc/pam.d/sshd file is updated like this

# auth substack passw-auth
auth required pam_google_authenticator.so nullok

Then when I’m restart my sshd service
I got the following error

sshd[5723]: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard>
AuthenticationMethods cannot be satisfied by enabled authentication methods
sshd.service: Main process exited, code=exited, status=255/EXCEPTION

Why is it not working properly ?

If I remove the keyboard-interactive method , then it is logging well automatically with my keys.
I want to authenticate with the key and the OTP

Many thanks

Olivier

oksiazek · April 14, 2023, 9:28am

ok,

I found that I need also to update the /etc/ssh/sshd_config.d/50-redhat.conf
Because there is a directive in that file which is

ChallengeResponseAuthentication no

so you have to update to yes if not it is not working .
And you can’t populate it in the sshd_config file as it is not interpreted .

Now moving to my following error
The google_authenticator can’t create a tempfile or update the secret file

Olivier

Source of this behavior Issue MFA , look at the cause …

oksiazek · April 14, 2023, 9:59am

ok find my other error .
The google_authenticator file is created by default in the ${HOME} folder and when Google Authenticator is trying to read and update it at the login . It is blocker by SELINUX.

So the workaround is for example to put the .google_authenticator file in another folder like the ${HOME}/.ssh folder and specify also this parameter in /etc/pam.d/sshd file

auth required pam_google_authenticator.so secret=${HOME}/.ssh/.google_authenticator

Updated like in the above example , you don’t need anymore to disable SELINUX and it is working fine

Topic		Replies	Views
SSHD rejecting every publickey I throw at it Support	3	981	June 19, 2022
SSH password auth keeps being set to "no" automatically Security	4	781	October 25, 2023
SSH configuration is not being honored Security	3	854	October 2, 2023
Well I tried (thrice!) Migration	8	1009	October 22, 2021
Openssh-server-8.0p1-16.el8 update and HostKey	9	951	March 17, 2023

Problem with MFA Activation

Related Topics