Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Authenticator 2FA is not working #351

Open
biswaKL opened this issue May 26, 2023 · 6 comments
Open

Google Authenticator 2FA is not working #351

biswaKL opened this issue May 26, 2023 · 6 comments

Comments

@biswaKL
Copy link

biswaKL commented May 26, 2023
edited

I Am trying to do ssh using console with 2FA TOTP, I am able to login.
But From webssh I am unable to login,
I am getting Authentication Failed.

Its trying for password auth, not even going to 2FA auth

Please find the below Logs:

[I 230526 13:06:49 transport:1893] Connected (version 2.0, client OpenSSH_9.0p1)
[I 230526 13:06:49 handler:86] Trying password authentication
[I 230526 13:06:52 transport:1893] Authentication (password) failed.
[E 230526 13:06:52 handler:516] Traceback (most recent call last):
      File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 455, in ssh_connect
        ssh.connect(*args, timeout=options.timeout)
      File "/usr/local/lib/python3.10/dist-packages/paramiko/client.py", line 485, in connect
        self._auth(
      File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 100, in _auth
        raise saved_exception
      File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 88, in _auth
        self._transport.auth_password(username, password)
      File "/usr/local/lib/python3.10/dist-packages/paramiko/transport.py", line 1587, in auth_password
        return self.auth_handler.wait_for_response(my_event)
      File "/usr/local/lib/python3.10/dist-packages/paramiko/auth_handler.py", line 263, in wait_for_response
        raise e
    paramiko.ssh_exception.AuthenticationException: Authentication failed.

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 514, in post
        worker = yield future
      File "/usr/local/lib/python3.10/dist-packages/tornado/gen.py", line 767, in run
        value = future.result()
      File "/usr/lib/python3.10/concurrent/futures/_base.py", line 451, in result
        return self.__get_result()
      File "/usr/lib/python3.10/concurrent/futures/_base.py", line 403, in __get_result
        raise self._exception
      File "/usr/lib/python3.10/concurrent/futures/thread.py", line 58, in run
        result = self.fn(*self.args, **self.kwargs)
      File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 461, in ssh_connect
        raise ValueError('Authentication failed.')
    ValueError: Authentication failed.
@biswaKL
Copy link
Author

biswaKL commented May 26, 2023

I Think I know the issue, in line 55 of handler, its expecting "verification" in the begining,
but it am getting this:

root@ubuntu-s-1vcpu-1gb-blr1-02:~# ssh root@10.139.0.4
(root@10.139.0.4) Password: 
(root@10.139.0.4) Verification code:

@huashengdun
Copy link
Owner

For password 2fa, it verifies the password first, then the totp code.
Make sure you pass the correct password and totp code together.

@biswaKL
Copy link
Author

biswaKL commented May 29, 2023

Password is correct, I am able to login when I disable the TOTP from server side.

@huashengdun
Copy link
Owner

Show me your configuration file /etc/ssh/sshd_config.

@Ethan-622
Copy link

Ethan-622 commented Aug 17, 2023
edited

I get same issue with it.How can i fix it? Where should i input the verification code?

@carlosapgomes
Copy link

carlosapgomes commented Aug 21, 2023
edited

Same issue here:

I can login using Google 2FA in console with ssh but not with webssh.
I can only login with webssh when I disable 2FA.
My system is a VM running Ubuntu 22.04 LTS.
I installed webssh following this tutorial from DigitalOcean. It runs behind a reverse proxy (nginx).

Interesting thing is that, while running in debug mode, line 409 of handler.py logs otp as None even when I send the otp on the corresponding form field (see the bellow wssh log file output). I double checked Nginx request post logs and the otp is correctly sent by the client.

[I cleared some sensitive information]

wssh log file:

[D 230822 07:07:58 selector_events:54] Using selector: EpollSelector
[D 230822 07:07:58 policy:29] {'autoaddpolicy': <class 'webssh.policy.AutoAddPolicy'>, 'rejectpolicy': <class 'paramiko.client.RejectPolicy'>, 'warningpolicy': <class 'paramiko.client.WarningPolicy'>}
[I 230822 07:07:58 settings:125] RejectPolicy
[D 230822 07:08:41 selector_events:54] Using selector: EpollSelector
[D 230822 07:08:41 policy:29] {'autoaddpolicy': <class 'webssh.policy.AutoAddPolicy'>, 'rejectpolicy': <class 'paramiko.client.RejectPolicy'>, 'warningpolicy': <class 'paramiko.client.WarningPolicy'>}
[I 230822 07:08:41 settings:125] WarningPolicy
[I 230822 07:08:41 main:38] Listening on :8888 (http)
[I 230822 07:13:50 web:2344] 200 GET / (xx.xx.xx.xx) 2.59ms
[I 230822 07:13:50 web:2344] 200 GET /static/css/bootstrap.min.css (xx.xx.xx.xx) 4.30ms
[I 230822 07:13:50 web:2344] 200 GET /static/css/xterm.min.css (xx.xx.xx.xx) 0.63ms
[I 230822 07:13:50 web:2344] 200 GET /static/css/fullscreen.min.css (xx.xx.xx.xx) 0.47ms
[I 230822 07:13:50 web:2344] 200 GET /static/js/jquery.min.js (xx.xx.xx.xx) 0.82ms
[I 230822 07:13:50 web:2344] 200 GET /static/js/popper.min.js (xx.xx.xx.xx) 0.57ms
[I 230822 07:13:50 web:2344] 200 GET /static/js/bootstrap.min.js (xx.xx.xx.xx) 0.72ms
[I 230822 07:13:51 web:2344] 200 GET /static/js/xterm.min.js (xx.xx.xx.xx) 1.41ms
[I 230822 07:13:51 web:2344] 200 GET /static/js/xterm-addon-fit.min.js (xx.xx.xx.xx) 0.41ms
[I 230822 07:13:51 web:2344] 200 GET /static/js/main.js (xx.xx.xx.xx) 0.59ms
[I 230822 07:13:51 web:2344] 200 GET /static/img/favicon.png (xx.xx.xx.xx) 0.84ms
[W 230822 07:14:15 web:2344] 404 GET /static/js/popper.min.js.map (xx.xx.xx.xx) 1.25ms
[W 230822 07:14:15 web:2344] 404 GET /static/js/xterm.js.map (xx.xx.xx.xx) 0.65ms
[W 230822 07:14:15 web:2344] 404 GET /static/js/xterm-addon-fit.js.map (xx.xx.xx.xx) 0.73ms
[W 230822 07:14:15 web:2344] 404 GET /static/js/bootstrap.min.js.map (xx.xx.xx.xx) 0.86ms
[W 230822 07:14:15 web:2344] 404 GET /static/css/fullscreen.min.css.map (xx.xx.xx.xx) 0.44ms
[W 230822 07:14:15 web:2344] 404 GET /static/css/bootstrap.min.css.map (xx.xx.xx.xx) 0.42ms
[D 230822 07:14:37 handler:223] netloc: host.domain.name
[D 230822 07:14:37 handler:226] host: host.domain.name
[D 230822 07:14:37 handler:409] ('yy.yy.yy.yy', 22, 'user1', 'secret', None)
[I 230822 07:14:37 handler:452] Connecting to yy.yy.yy.yy:22
[D 230822 07:14:37 transport:1893] starting thread (client mode): 0xac9263b0
[D 230822 07:14:37 transport:1893] Local version/idstring: SSH-2.0-paramiko_3.3.1
[D 230822 07:14:37 transport:1893] Remote version/idstring: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3
[I 230822 07:14:37 transport:1893] Connected (version 2.0, client OpenSSH_8.9p1)
[D 230822 07:14:37 transport:1893] === Key exchange possibilities ===
[D 230822 07:14:37 transport:1893] kex algos: curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, sntrup761x25519-sha512@openssh.com, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256
[D 230822 07:14:37 transport:1893] server key: rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, ssh-ed25519
[D 230822 07:14:37 transport:1893] client encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
[D 230822 07:14:37 transport:1893] server encrypt: chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
[D 230822 07:14:37 transport:1893] client mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
[D 230822 07:14:37 transport:1893] server mac: umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
[D 230822 07:14:37 transport:1893] client compress: none, zlib@openssh.com
[D 230822 07:14:37 transport:1893] server compress: none, zlib@openssh.com
[D 230822 07:14:37 transport:1893] client lang: <none>
[D 230822 07:14:37 transport:1893] server lang: <none>
[D 230822 07:14:37 transport:1893] kex follows: False
[D 230822 07:14:37 transport:1893] === Key exchange agreements ===
[D 230822 07:14:37 transport:1893] Kex: curve25519-sha256@libssh.org
[D 230822 07:14:37 transport:1893] HostKey: ssh-ed25519
[D 230822 07:14:37 transport:1893] Cipher: aes128-ctr
[D 230822 07:14:37 transport:1893] MAC: hmac-sha2-256
[D 230822 07:14:37 transport:1893] Compression: none
[D 230822 07:14:37 transport:1893] === End of kex handshake ===
[D 230822 07:14:37 transport:1893] kex engine KexCurve25519 specified hash_algo <built-in function openssl_sha256>
[D 230822 07:14:37 transport:1893] Switch to new keys ...
[I 230822 07:14:37 handler:86] Trying password authentication
[D 230822 07:14:37 transport:1893] Got EXT_INFO: {'server-sig-algs': b'ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com', 'publickey-hostbound@openssh.com': b'0'}
[D 230822 07:14:37 transport:1893] userauth is OK
[I 230822 07:14:41 transport:1893] Authentication (password) failed.
[E 230822 07:14:41 handler:516] Traceback (most recent call last):
      File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 455, in ssh_connect
        ssh.connect(*args, timeout=options.timeout)
      File "/usr/local/lib/python3.10/dist-packages/paramiko/client.py", line 485, in connect
        self._auth(
      File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 100, in _auth
        raise saved_exception
      File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 88, in _auth
        self._transport.auth_password(username, password)
      File "/usr/local/lib/python3.10/dist-packages/paramiko/transport.py", line 1587, in auth_password
        return self.auth_handler.wait_for_response(my_event)
      File "/usr/local/lib/python3.10/dist-packages/paramiko/auth_handler.py", line 263, in wait_for_response
        raise e
    paramiko.ssh_exception.AuthenticationException: Authentication failed.
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 514, in post
        worker = yield future
      File "/usr/local/lib/python3.10/dist-packages/tornado/gen.py", line 767, in run
        value = future.result()
      File "/usr/lib/python3.10/concurrent/futures/_base.py", line 451, in result
        return self.__get_result()
      File "/usr/lib/python3.10/concurrent/futures/_base.py", line 403, in __get_result
        raise self._exception
      File "/usr/lib/python3.10/concurrent/futures/thread.py", line 58, in run
        result = self.fn(*self.args, **self.kwargs)
      File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 461, in ssh_connect
        raise ValueError('Authentication failed.')
    ValueError: Authentication failed.
    
[I 230822 07:14:41 web:2344] 200 POST / (xx.xx.xx.xx) 3655.67ms
[D 230822 07:16:37 transport:1893] EOF in transport thread

relevante system wide logs:

Aug 21 21:47:50  sshd(pam_google_authenticator)[16393]: Accepted google_authenticator for user1
Aug 21 21:47:51  sshd[16391]: Accepted keyboard-interactive/pam for user1 from xx.xx.xx.xx port 62653 ssh2
Aug 21 21:47:51  sshd[16391]: pam_unix(sshd:session): session opened for user user1(uid=nnnn) by (uid=0)
Aug 21 21:47:51  systemd[1]: Created slice User Slice of UID nnnn.
Aug 21 21:47:51  systemd[1]: Starting User Runtime Directory /run/user/nnnn...
Aug 21 21:47:51  systemd-logind[727]: New session 81 of user user1.
Aug 21 21:47:51  systemd[1]: Finished User Runtime Directory /run/user/nnnn.
Aug 21 21:47:51  systemd[1]: Starting User Manager for UID nnnn...
Aug 21 21:47:51  systemd[16395]: pam_unix(systemd-user:session): session opened for user user1(uid=nnnn) by (uid=0)
Aug 21 21:47:51  systemd[16395]: Queued start job for default target Main User Target.
Aug 21 21:47:51  systemd[16395]: Created slice User Application Slice.
Aug 21 21:47:51  systemd[16395]: Reached target Paths.
Aug 21 21:47:51  systemd[16395]: Reached target Timers.
Aug 21 21:47:51  systemd[16395]: Starting D-Bus User Message Bus Socket...
Aug 21 21:47:51  systemd[16395]: Listening on GnuPG network certificate management daemon.
Aug 21 21:47:51  systemd[16395]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
Aug 21 21:47:51  systemd[16395]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
Aug 21 21:47:51  systemd[16395]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Aug 21 21:47:51  systemd[16395]: Listening on GnuPG cryptographic agent and passphrase cache.
Aug 21 21:47:51  systemd[16395]: Listening on REST API socket for snapd user session agent.
Aug 21 21:47:51  systemd[16395]: Listening on D-Bus User Message Bus Socket.
Aug 21 21:47:51  systemd[16395]: Reached target Sockets.
Aug 21 21:47:51  systemd[16395]: Reached target Basic System.
Aug 21 21:47:51  systemd[1]: Started User Manager for UID nnnn.
Aug 21 21:47:51  systemd[16395]: Reached target Main User Target.
Aug 21 21:47:51  systemd[16395]: Startup finished in 73ms.
Aug 21 21:47:51  systemd[1]: Started Session 81 of User user1.
Aug 21 21:48:32  wssh[16363]: [I 230821 21:48:32 handler:452] Connecting to 127.0.0.1:22
Aug 21 21:48:32  wssh[16363]: [I 230821 21:48:32 transport:1893] Connected (version 2.0, client OpenSSH_8.9p1)
Aug 21 21:48:32  wssh[16363]: [I 230821 21:48:32 handler:86] Trying password authentication
Aug 21 21:48:32  sshd(pam_google_authenticator)[16754]: Invalid verification code for user1
Aug 21 21:48:34  sshd[16754]: Failed password for user1 from 127.0.0.1 port 50972 ssh2
Aug 21 21:48:35  wssh[16363]: [I 230821 21:48:35 transport:1893] Authentication (password) failed.
Aug 21 21:48:35  wssh[16363]: [E 230821 21:48:35 handler:516] Traceback (most recent call last):
Aug 21 21:48:35  wssh[16363]:       File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 455, in ssh_connect
Aug 21 21:48:35  wssh[16363]:         ssh.connect(*args, timeout=options.timeout)
Aug 21 21:48:35  wssh[16363]:       File "/usr/local/lib/python3.10/dist-packages/paramiko/client.py", line 485, in connect
Aug 21 21:48:35  wssh[16363]:         self._auth(
Aug 21 21:48:35  wssh[16363]:       File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 100, in _auth
Aug 21 21:48:35  wssh[16363]:         raise saved_exception
Aug 21 21:48:35  wssh[16363]:       File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 88, in _auth
Aug 21 21:48:35  wssh[16363]:         self._transport.auth_password(username, password)
Aug 21 21:48:35  wssh[16363]:       File "/usr/local/lib/python3.10/dist-packages/paramiko/transport.py", line 1587, in auth_password
Aug 21 21:48:35  wssh[16363]:         return self.auth_handler.wait_for_response(my_event)
Aug 21 21:48:35  wssh[16363]:       File "/usr/local/lib/python3.10/dist-packages/paramiko/auth_handler.py", line 263, in wait_for_response
Aug 21 21:48:35  wssh[16363]:         raise e
Aug 21 21:48:35  wssh[16363]:     paramiko.ssh_exception.AuthenticationException: Authentication failed.
Aug 21 21:48:35  wssh[16363]:     
Aug 21 21:48:35  wssh[16363]:     During handling of the above exception, another exception occurred:
Aug 21 21:48:35  wssh[16363]:     
Aug 21 21:48:35  wssh[16363]:     Traceback (most recent call last):
Aug 21 21:48:35  wssh[16363]:       File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 514, in post
Aug 21 21:48:35  wssh[16363]:         worker = yield future
Aug 21 21:48:35  wssh[16363]:       File "/usr/local/lib/python3.10/dist-packages/tornado/gen.py", line 767, in run
Aug 21 21:48:35  wssh[16363]:         value = future.result()
Aug 21 21:48:35  wssh[16363]:       File "/usr/lib/python3.10/concurrent/futures/_base.py", line 451, in result
Aug 21 21:48:35  wssh[16363]:         return self.__get_result()
Aug 21 21:48:35  wssh[16363]:       File "/usr/lib/python3.10/concurrent/futures/_base.py", line 403, in __get_result
Aug 21 21:48:35  wssh[16363]:         raise self._exception
Aug 21 21:48:35  wssh[16363]:       File "/usr/lib/python3.10/concurrent/futures/thread.py", line 58, in run
Aug 21 21:48:35  wssh[16363]:         result = self.fn(*self.args, **self.kwargs)
Aug 21 21:48:35  wssh[16363]:       File "/usr/local/lib/python3.10/dist-packages/webssh/handler.py", line 461, in ssh_connect
Aug 21 21:48:35  wssh[16363]:         raise ValueError('Authentication failed.')
Aug 21 21:48:35  wssh[16363]:     ValueError: Authentication failed.
Aug 21 21:48:35  wssh[16363]:     
Aug 21 21:48:35  wssh[16363]: [I 230821 21:48:35 web:2344] 200 POST / (xx.xx.xx.xx) 3117.97ms
Aug 21 21:48:45  sshd[16441]: Received disconnect from xx.xx.xx.xx port 62653:11: disconnected by user
Aug 21 21:48:45  sshd[16441]: Disconnected from user user1 xx.xx.xx.xx port 62653
Aug 21 21:48:45  sshd[16391]: pam_unix(sshd:session): session closed for user user1
Aug 21 21:48:45  systemd[1]: session-81.scope: Deactivated successfully.
Aug 21 21:48:45  systemd-logind[727]: Session 81 logged out. Waiting for processes to exit.
Aug 21 21:48:45  systemd-logind[727]: Removed session 81.
Aug 21 21:48:56  systemd[1]: Stopping User Manager for UID nnnn...
Aug 21 21:48:56  systemd[16395]: Stopped target Main User Target.
Aug 21 21:48:56  systemd[16395]: Stopped target Basic System.
Aug 21 21:48:56  systemd[16395]: Stopped target Paths.
Aug 21 21:48:56  systemd[16395]: Stopped target Sockets.
Aug 21 21:48:56  systemd[16395]: Stopped target Timers.

relevant auth.log:

Aug 21 21:47:50  sshd(pam_google_authenticator)[16393]: Accepted google_authenticator for user1
Aug 21 21:47:51  sshd[16391]: Accepted keyboard-interactive/pam for user1 from xx.xx.xx.xx port 62653 ssh2
Aug 21 21:47:51  sshd[16391]: pam_unix(sshd:session): session opened for user user1(uid=nnnn) by (uid=0)
Aug 21 21:47:51  systemd-logind[727]: New session 81 of user user1.
Aug 21 21:47:51  systemd: pam_unix(systemd-user:session): session opened for user user1(uid=nnnn) by (uid=0)
Aug 21 21:48:32  sshd(pam_google_authenticator)[16754]: Invalid verification code for user1
Aug 21 21:48:34  sshd[16754]: Failed password for user1 from 127.0.0.1 port 50972 ssh2
Aug 21 21:48:45  sshd[16441]: Received disconnect from xx.xx.xx.xx port 62653:11: disconnected by user
Aug 21 21:48:45  sshd[16441]: Disconnected from user user1 xx.xx.xx.xx port 62653
Aug 21 21:48:45  sshd[16391]: pam_unix(sshd:session): session closed for user user1
Aug 21 21:48:45  systemd-logind[727]: Session 81 logged out. Waiting for processes to exit.
Aug 21 21:48:45  systemd-logind[727]: Removed session 81.

my sshd_config:

Include /etc/ssh/sshd_config.d/*.conf
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

Match User user1
	PasswordAuthentication yes

my /etc/pam.d/sshd file:

# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close

# Set the loginuid process attribute.
session    required     pam_loginuid.so

# Create a new session keyring.
session    optional     pam_keyinit.so force revoke

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open

# Standard Un*x password updating.
@include common-password

my /etc/pam.d/common-auth file:

# /etc/pam.d/common-auth - authentication settings common to all services

# here are the per-package modules (the "Primary" block)
auth	[success=1 default=ignore]	pam_unix.so nullok
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional			pam_cap.so 
# end of pam-auth-update config
auth required pam_google_authenticator.so nullok

Am I missing any configuration?

Thanks

Carlos

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@huashengdun @biswaKL @Ethan-622 @carlosapgomes