Skip to content
Advertisement

Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04, but NOT for root user

I followed this nice guide from digitalocean to set up Multi-Factor Authentication for SSH on Ubuntu 16.04 Server (No UI),

after this every user on system when the login via ssh system expects additional authentication, if 2fa is setup everything works but if it isn’t setup it just fails (article did mention that if I leave nullok in sshd it will continue without expecting 2fa if it isn’t setup, but that isn’t the case.)

basically I want to setup 2fa for every interactive user on system, but I do not want it enabled on root user.

BTW I did try https://askubuntu.com/a/1051973/867525, it did work for normal user, but it didn’t work for root user.

Advertisement

Answer

Based on Dieskim’s answer above, This is what I did to NOT apply PAM/2fa to root user.

in /etc/ssh/sshd_config where I added AuthenticationMethods publickey,password publickey,keyboard-interactive conditionally,

UsePAM yes
# Apply following rule to everyone (*) but root user (!root)
Match user "!root,*"
    AuthenticationMethods publickey,password publickey,keyboard-interactive
Match all

I would like to also mention following:

Initially even after having auth required pam_google_authenticator.so nullok in /etc/pam.d/sshd root login as not working and the reason behind that was PermitRootLogin in sshd_config was set to prohibit-password, and OpenSSH needs to allow root logins using passwords for PAM auth to work with any sort of password, including OTP.

And as I wanted PermitRootLogin to no the above Match user solution above works well.

Another thing about auth required pam_google_authenticator.so nullok, here it is thought that nullok means if 2fa is not configured for a user, user will still be allowed to login, but that is not the case with latest versions of libpam-google-authenticator

# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so nullok

EDIT: Following statement is not true (Removed it from answer above), do not add auth required pam_permit.so in sshd file when you are enabling AuthenticationMethods optionally.

it is important to add auth required pam_permit.so as last line to /etc/pam.d/sshd

Also test that any of your user is not able to login with out any credentials.

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement