Join Log in
Score:0
avatar Server

SSHD keeps asking for user password even though it was configured with publickey,keyboard-interactive

us flag
user862265

I'm trying to configure sshd on a VPS instance, and would like to have an authentication witch is publickey,keyboard-interactive (public key AND keyboard-interactive).

The problem is that the server keeps asking for serveruser password on login after the public key was sent and accepted. It should only ask for the 2FA code. I am able to login using publickey, serveruser password and 2FA code.

I have two other similar setups that work great but I remember having trouble setting those up, like using black magic in bizarre configuration files.

I spent countless hours trying to configure sshd this way on other hosts and now I don't seem to achieve it.

I also tried to compare client and server logs on a working setup and this one but the logs are the same! (Except with IPs, ports and fingerprints)

SSH client log : https://pastebin.com/P1xsKTwm

Server's /etc/ssh/sshd_config : https://pastebin.com/qSH7GAmR

Server's /etc/pam.d/sshd : https://pastebin.com/YBKY91Rk

(sshd was restarted using sudo systemctl restart sshd.service)

EDIT : keyboard-interactive is not only for 2FA

Read the comments in mforsetti's answer below, I did not understood that keyboard-interactive was not for 2FA only.

The trick was to edit /etc/pam.d/sshd file to disable password authentication (explained in mforsetti's post and comments below)

412
1 + 0
ssh
Score:1
mforsetti avatar Server
tz flag
mforsetti

The problem is that the server keeps asking for serveruser password on login after the public key was sent and accepted.

well, you specifically asked for it.

AuthenticationMethods publickey,keyboard-interactive

Quoting sshd_config manual,

AuthenticationMethods

Specifies the authentication methods that must be successfully completed for a user to be granted access. ... by the single string any to indicate the default behaviour of accepting any single authentication method ...

... For example, "publickey,password publickey,keyboard-interactive" would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. ...

So, adding AuthenticationMethods publickey,keyboard-interactive to your sshd_config, means you expect to have publickey authentication completed first, then keyboard-interactive authentication completed next.

If you expect to only authenticate with publickey, probably change

AuthenticationMethods publickey,keyboard-interactive

to

AuthenticationMethods publickey

or, if you enable any other authentication methods and expect any single successful authentication method as an OK, you may use

AuthenticationMethods any

I want to authenticate both with public key and 2FA

You may want to disable common-auth from PAM configs, as in most Linux/Unix distributions, common-auth includes pam-unix.so or pam-unix2.so which requires account password.

0 + 6
us flag
user862265
Thanks for the answer! :D Maybe I was not clear above, I want to authenticate both with public key and 2FA but not the serveruser password. What I don't understand is that keyboard-interactive keeps asking me for serveruser's password ; it shouldn't right, it's only 2FA?
0
Reply
mforsetti avatar
tz flag
mforsetti
`keyboard-interactive` is a catch-all key for, well, keyboard interactivity, including password, PAM, Kerberos, etc. try using `AuthenticationMethods publickey,keyboard-interactive:pam` if you're using PAM to configure your 2FA stuff.
0
Reply
mforsetti avatar
tz flag
mforsetti
have you commented `@include common-auth` in `/etc/pam.d/sshd`?
0
Reply
us flag
user862265
Ohhh... I thought that keyboard-interactive was only for 2FA... Commenting the line did exactly what I wanted to do, many thanks!
0
Reply
mforsetti avatar
tz flag
mforsetti
added info about `common-auth` in the answer.
0
Reply
us flag
user862265
great! :D many thanks!
0
Reply
Ismail Iqbal avatar
st flag
Ismail Iqbal
@mforsetti I'm having the same issue I followed this guide to https://www.middlewareinventory.com/blog/aws-mfa-ssh-ec2-setup/ to Enable 2FA to an AWS EC2 instance with AWS AMI. according to the guide he says the user accounts which did not run the google authentication initialization should not be prompted with MFA key. when trying to access it via termius its prompting anyways for users who have not setup google authentication
0
Reply
mforsetti avatar
tz flag
mforsetti
@IsmailIqbal no that's a different issue. try making a new question in detail about what you've configured in the instance.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.