Enforcing 2FA configuration on next SSH login for every user

phk

5/27/23, 1:27 PM

I have found numerous tutorials on how to enable 2FA (TOTP, RFC 6238) but is there also a way to force SSH users to configure it on the first login? (I am using OpenSSH server)

I guess I could create a script that runs everytime and checks whether a .google_authenticator for the particular user exists and if not then runs google-authenticator until it does and then edits /etc/pam.d/sshd (uh-oh), and otherwise runs the default shell/command… but there are perhaps many unforeseen edge cases and possibilities for breaking SSH login.

So before I possibly re-invent the wheel, and do so haphazardly, does an existing solution already exist?

I would have assumed that it does since it's the norm for user-facing software, e.g. Gitlab and Gsuite come to mind, where you can force users to configure 2FA on the next login.

0 + 0

linux

ssh

pam

google-authenticator

two-factor-authentication

Score:1

Server

asktyagi

6/14/23, 5:25 AM

I am not sure if someone already wrote script for general purpose because these things sometime specific to requirement.

What I can suggest is use env files(.bashrc,.bash_profile etc) to alter your ssh/2FA etc file.

Anatomy of script will be like below:

if <check 2fa file setup exists>
    # execute this if found
    # or continue
else
    # setup 2FA and exit for next login.

0 + 0

fuero

6/14/23, 6:50 AM

Wouldn't one be able to just overwrite the script or break out of it?

asktyagi

6/14/23, 7:07 AM

No one can do if it handled properly, just for hint trap the exit signal in script so no one can break. Also above thing can't handle with scale using IaaS tool usage is recommended.

phk

6/14/23, 6:05 PM

Hm… you could do `ssh [target] bash --noprofile --norc` (or similar) unless `ForceCommand` or `command=` inside `authorized_keys` is used. But then, the setup itself is not meant as a security feature. Also this way, it would not break `scp` or `sshfs`. But on the other hand I would want to protect those `ssh` accounts used for non-interactive stuff as well… the more I think about it, the harder this problem appears. Anyway, thank you.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Enforcing 2FA configuration on next SSH login for every user

TH: บังคับใช้การกำหนดค่า 2FA ในการเข้าสู่ระบบ SSH ถัดไปสำหรับผู้ใช้ทุกคน

RO: Implementarea configurației 2FA la următoarea autentificare SSH pentru fiecare utilizator

RU: Принудительная конфигурация 2FA при следующем входе в SSH для каждого пользователя

VI: Thực thi cấu hình 2FA trong lần đăng nhập SSH tiếp theo cho mọi người dùng

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.