1

So I've been reading more and more about how (relatively) easy it is to have your Ubuntu server compromised and suffice to say have become a tad paranoid by this fact.

I've setup Multi Factor Authentication using libpam-google-authenticator and a password.

What I'd like to be able to do is use both a password and a verification code OR an ssh key and a verification code. Preferably checking for an SSH key and if one is received then asking for a verification code, or if an SSH key is not present, asking for a password then a verification code.

I've been racking my brain reading over the following tutorials, but feel like I'm missing some fundamental knowledge to get the correct order.

As a side question, does anyone know the correct wording for what I'm trying to do? I gather that may be part of my problem while researching.

Gary
  • 165
  • 2
  • 6

2 Answers2

3

You can in fact combine ssh public key authentication with PAM authentication. The ssh daemon will do the public key authentication (with you ssh key, which is no certificate, just key pairs!) and the password authentication or OTP/GA authentication is managed via PAM.

The trick is, to use this

AuthenticationMethods publickey,password

in your sshd_config.

I wrote a howto about this. In this howto you can even manage your SSH keys and the OTP tokens with a central system privacyIDEA. (Disclaimer: My project)

cornelinux
  • 2,023
  • 8
  • 11
0

See here. https://superuser.com/questions/607519/three-step-authentication

The benefit of mfa is a password being guessed cannot get farther. You can use weaker passwords and reuse them and change them less often. You can avoid phishing scams more readily.

Certs do not have that issue. You never transmit your private cert and can reuse it often.

Also password protect your key for added security.

I also think ssh does cert auth out of pam so you have no way to hook the user through pam to get the mfa check.

I would still suggest turning off password based auth all together. The cert provides 112 bits of entropy (2048 RSA) and that takes years to brute force.

If the logs are bugging you people often chang their port or use fail to ban to autoblock traffic.

Jonathan
  • 2,318
  • 13
  • 16
  • Aye I have `fail2ban` and `ip-tables` setup :-) – Gary Jul 14 '16 at 07:33
  • Also, I'm not trying to setup three step authentication as that article suggests, more of a this or that authentication. – Gary Jul 14 '16 at 07:54