Score:0

Using ssh with sssd for password or publickey and extending with MFA support through PAM

si flag

So after some extensive testing and discussing I can no longer wrap my head around this problem on my own.

Goal: Authenticating over ssh with either publickey or password, and use PAM for MFA.

System used is Ubuntu Server 20.04

Splitting this into managable parts has also shown some difficulties combining different parts.

Authenticating with publickey and using PAM for MFA is not a problem. Authenticating with password and using PAM for MFA is not a problem. Using either publickey or password is a bit different. Combining with MFA seems impossible.

The problem seems to be lying with how SSHD is authenticating the user with password. SSHD can not do this without PAM, since the user shadow file is not readable without PAM. Enabling PAM and activating pam_env.so and pam_sssd.so for the auth stack solves this.

So using PAM, I can authenticate with either publickey or password. What I don't get is why SSHD needs the user shadow file for password auth, and not for publickey? I still get my groups and everything using publickey, without PAM, and using SSSD for providing the public keys with authorized_keys command.

To authenticate using password I need the corresponding pam module in the auth stack.

This would not be much of a problem, but the goal is to enable MFA and not prompt the user for password unless it is needed. The MFA needs to be implemented using PAM. Using PAM alongside public keys is not a problem, setting method "publickey,keyboard-interactive" in sshd_config passes this to PAM and setting the PAM module after pam_env.so for MFA allows this.

But enabling methods "password,keyboard-interactive" requires the pam_sss.so module, so then I will be prompted for a password even if I use publickey method, and then prompted for the MFA.

How do I navigate this problem, so that I can authenticate over ssh with password from sssd, or publickey from sssd? And the next step, PAM being a requirement or not for password (prefferably not), either way, how to implement the MFA?

Since this is still looping around in my head, I am sure that I can explain things better but have done my best to explain my difficulties.

Things I have read in to is sssd, pam_ssh, pam_sssd, pam_ssh_agent_auth, sshd. Also read through documentation for DUO, Google MFA, RedHat.

Any thoughts or ideas?

Any feedback would be greatly appreciated.

Thanks!

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.