Score:1

Enforcing 2FA configuration on next SSH login for every user

cn flag
phk

I have found numerous tutorials on how to enable 2FA (TOTP, RFC 6238) but is there also a way to force SSH users to configure it on the first login? (I am using OpenSSH server)

I guess I could create a script that runs everytime and checks whether a .google_authenticator for the particular user exists and if not then runs google-authenticator until it does and then edits /etc/pam.d/sshd (uh-oh), and otherwise runs the default shell/command… but there are perhaps many unforeseen edge cases and possibilities for breaking SSH login.

So before I possibly re-invent the wheel, and do so haphazardly, does an existing solution already exist?

I would have assumed that it does since it's the norm for user-facing software, e.g. Gitlab and Gsuite come to mind, where you can force users to configure 2FA on the next login.

Score:1
in flag

I am not sure if someone already wrote script for general purpose because these things sometime specific to requirement.

What I can suggest is use env files(.bashrc,.bash_profile etc) to alter your ssh/2FA etc file.

Anatomy of script will be like below:

if <check 2fa file setup exists>
    # execute this if found
    # or continue
else
    # setup 2FA and exit for next login.
cm flag
Wouldn't one be able to just overwrite the script or break out of it?
asktyagi avatar
in flag
No one can do if it handled properly, just for hint trap the exit signal in script so no one can break. Also above thing can't handle with scale using IaaS tool usage is recommended.
phk avatar
cn flag
phk
Hm… you could do `ssh [target] bash --noprofile --norc` (or similar) unless `ForceCommand` or `command=` inside `authorized_keys` is used. But then, the setup itself is not meant as a security feature. Also this way, it would not break `scp` or `sshfs`. But on the other hand I would want to protect those `ssh` accounts used for non-interactive stuff as well… the more I think about it, the harder this problem appears. Anyway, thank you.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.