Configure PAM to ask for 2FA token even if password is incorrectWhy does pam_mount ask for...
Does Windows 10 Fast Startup feature drain battery while laptop is turned off?
one-liner vs script
How to execute a project with two resources where you need three resources?
How effective are nunchaku as a choking weapon?
How to discipline overeager engineer
How to make "acts of patience" exciting?
Should a grammatical article be a part of a web link anchor
Test if two food are the same
I'm largest when I'm five, what am I?
Does Australia produce unique 'specialty steel'?
Can a successful economy exist without renting stuff?
Why do previous versions of Debian packages vanish in the package repositories? (highly relevant for version-controlled system configuration)
An employee has low self-confidence, and is performing poorly. How can I help?
Why is lying to Congress a crime?
Little Endian Number to String Conversion
How to temporarily replace Latin characters with Greek
Why did a young George Washington sign a document admitting to assassinating a French military officer?
What does IKEA-like mean?
Can I use I2C over 2m cables?
D&D Monsters and Copyright
What is this cast-iron device on my water supply pipe?
How to make a gift without seeming creepy?
Are there any privately owned large commercial airports?
Is there a way to make a Minor key sound "less dark"?
Configure PAM to ask for 2FA token even if password is incorrect
Why does pam_mount ask for password?Replacement for php5-auth-pam to authenticate website login against local usersHow to allow unauthenticated logins over ssh on FreeBSD?Can SSH public key authentication use pam_group?Determine which name service created entry in database (eg passwd)?How PAM determines system password and 2FA OTP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{
margin-bottom:0;
}
I have Google 2FA set up for ssh password logins. Works fine, but if possible I'd like to tighten a small security hole: if the password given is correct, it will then ask for the 2FA token. If the password given is incorrect, though, then it will keep asking for the password. This obviously would reveal to an attacker that they have actually discovered the password, even if they can't get in immediately.
For example, if the password is hunter2:
Password: hunter2
Verification code:
vs
Password: banana
Password:
I'd like to set it up so that it asks for the 2FA code in every instance, even when the password is wrong, to close off this attack vector. I'd also like it to send me an alert if the correct password is entered along with an incorrect OTP.
Is this something I can achieve with PAM configuration or would I need to basically write my own module for it?
ssh security pam 2-factor-authentication
asked 1 hour ago
xereetoxereeto
1
New contributor
xereeto is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment
|
I have Google 2FA set up for ssh password logins. Works fine, but if possible I'd like to tighten a small security hole: if the password given is correct, it will then ask for the 2FA token. If the password given is incorrect, though, then it will keep asking for the password. This obviously would reveal to an attacker that they have actually discovered the password, even if they can't get in immediately.
For example, if the password is hunter2:
Password: hunter2
Verification code:
vs
Password: banana
Password:
I'd like to set it up so that it asks for the 2FA code in every instance, even when the password is wrong, to close off this attack vector. I'd also like it to send me an alert if the correct password is entered along with an incorrect OTP.
Is this something I can achieve with PAM configuration or would I need to basically write my own module for it?
ssh security pam 2-factor-authentication
asked 1 hour ago
xereetoxereeto
1
New contributor
xereeto is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
What is your current PAM configuration?
– muru
1 hour ago
I just addedauth required pam_google_authenticator.soto the top of the PAM config file. In the ssh config I haveUsePAM yes,PasswordAuthentication no,ChallengeResponseAuthentication yes, andAuthenticationMethods publickey keyboard-interactive.
– xereeto
29 mins ago
Please show the current PAM configuration.
– muru
21 mins ago
add a comment
|
I have Google 2FA set up for ssh password logins. Works fine, but if possible I'd like to tighten a small security hole: if the password given is correct, it will then ask for the 2FA token. If the password given is incorrect, though, then it will keep asking for the password. This obviously would reveal to an attacker that they have actually discovered the password, even if they can't get in immediately.
For example, if the password is hunter2:
Password: hunter2
Verification code:
vs
Password: banana
Password:
I'd like to set it up so that it asks for the 2FA code in every instance, even when the password is wrong, to close off this attack vector. I'd also like it to send me an alert if the correct password is entered along with an incorrect OTP.
Is this something I can achieve with PAM configuration or would I need to basically write my own module for it?
ssh security pam 2-factor-authentication
asked 1 hour ago
xereetoxereeto
1
New contributor
xereeto is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have Google 2FA set up for ssh password logins. Works fine, but if possible I'd like to tighten a small security hole: if the password given is correct, it will then ask for the 2FA token. If the password given is incorrect, though, then it will keep asking for the password. This obviously would reveal to an attacker that they have actually discovered the password, even if they can't get in immediately.
For example, if the password is hunter2:
Password: hunter2
Verification code:
vs
Password: banana
Password:
I'd like to set it up so that it asks for the 2FA code in every instance, even when the password is wrong, to close off this attack vector. I'd also like it to send me an alert if the correct password is entered along with an incorrect OTP.
Is this something I can achieve with PAM configuration or would I need to basically write my own module for it?
ssh security pam 2-factor-authentication
ssh security pam 2-factor-authentication
asked 1 hour ago
xereetoxereeto
1
New contributor
xereeto is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
xereetoxereeto
1
New contributor
xereeto is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
xereetoxereeto
1
New contributor
xereeto is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
xereetoxereeto
1
asked 1 hour ago
xereetoxereeto
1
1
New contributor
xereeto is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
xereeto is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
What is your current PAM configuration?
– muru
1 hour ago
I just addedauth required pam_google_authenticator.soto the top of the PAM config file. In the ssh config I haveUsePAM yes,PasswordAuthentication no,ChallengeResponseAuthentication yes, andAuthenticationMethods publickey keyboard-interactive.
– xereeto
29 mins ago
Please show the current PAM configuration.
– muru
21 mins ago
add a comment
|
What is your current PAM configuration?
– muru
1 hour ago
I just addedauth required pam_google_authenticator.soto the top of the PAM config file. In the ssh config I haveUsePAM yes,PasswordAuthentication no,ChallengeResponseAuthentication yes, andAuthenticationMethods publickey keyboard-interactive.
– xereeto
29 mins ago
Please show the current PAM configuration.
– muru
21 mins ago
What is your current PAM configuration?
– muru
1 hour ago
What is your current PAM configuration?
– muru
1 hour ago
I just added
auth required pam_google_authenticator.so to the top of the PAM config file. In the ssh config I have UsePAM yes, PasswordAuthentication no, ChallengeResponseAuthentication yes, and AuthenticationMethods publickey keyboard-interactive.– xereeto
29 mins ago
I just added
auth required pam_google_authenticator.so to the top of the PAM config file. In the ssh config I have UsePAM yes, PasswordAuthentication no, ChallengeResponseAuthentication yes, and AuthenticationMethods publickey keyboard-interactive.– xereeto
29 mins ago
Please show the current PAM configuration.
– muru
21 mins ago
Please show the current PAM configuration.
– muru
21 mins ago
add a comment
|
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
xereeto is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f544849%2fconfigure-pam-to-ask-for-2fa-token-even-if-password-is-incorrect%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
xereeto is a new contributor. Be nice, and check out our Code of Conduct.
xereeto is a new contributor. Be nice, and check out our Code of Conduct.
xereeto is a new contributor. Be nice, and check out our Code of Conduct.
xereeto is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f544849%2fconfigure-pam-to-ask-for-2fa-token-even-if-password-is-incorrect%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What is your current PAM configuration?
– muru
1 hour ago
I just added
auth required pam_google_authenticator.soto the top of the PAM config file. In the ssh config I haveUsePAM yes,PasswordAuthentication no,ChallengeResponseAuthentication yes, andAuthenticationMethods publickey keyboard-interactive.– xereeto
29 mins ago
Please show the current PAM configuration.
– muru
21 mins ago