How to use the ssh server with PAM but disallow password auth?
maybe the exact question is how to configure pam to disallow passwords?
Correct. You've already stumbled upon the fact that setting UsePAM no
is generally bad advice. Not only does it prevent any form of PAM based authentication, it also disables account
and session
modules. Access control and session configuration are good things.
First, let's build a list of requirements:
- OTP via
pam_google_authenticator.so
. This requiresUsePAM yes
andChallengeResponseAuthentication yes
. You're prompting them for a credential, after all! - No other form of password authentication via PAM. This means disabling any
auth
module that might possibly allow a password to be transmitted viakeyboard-interactive
logins. (which we have to leave enabled for OTP) - Key based authentication. We need to require
publickey
authentication, and maybegssapi-with-mic
if you have Kerberos configured.
Normally, authenticating with a key skips PAM based authentication entirely. This would have stopped us in our tracks with older versions of openssh, but Debian 8 (jessie) supports the AuthenticationMethods
directive. This allows us to require multiple authentication methods, but only works with clients implementing SSHv2.
sshd config
Below are the lines I suggest for /etc/ssh/sshd_config
. Make sure you have a way to access this system without sshd
in case you break something!
# Require local root only
PermitRootLogin no
# Needed for OTP logins
ChallengeResponseAuthentication yes
UsePAM yes
# Not needed for OTP logins
PasswordAuthentication no
# Change to to "yes" if you need Kerberos. If you're unsure, this is a very safe "no".
GSSAPIAuthentication no
# Require an OTP be provided with key based logins
AuthenticationMethods publickey,keyboard-interactive
# Use this instead for Kerberos+pubkey, both with OTP
#
#AuthenticationMethods gssapi-with-mic,keyboard-interactive publickey,keyboard-interactive
Don't forget to reload sshd
once these changes have been made.
PAM config
We still have to configure PAM. Assuming a clean install of Debian 8 (per your question):
- Comment
@include common-auth
from/etc/pam.d/sshd
. - Review
/etc/pam.d/sshd
and confirm that no lines beginning withauth
are present. There shouldn't be if this is a clean install, but it's best to be safe. - Add an
auth
entry forpam_google_authenticator.so
.
Remember that local passwords still work.
We did not make any changes that would impact logins via a local console, or prevent users from using passwords to upgrade their privileges via sudo.
This was outside the scope of the question. If you decide to take things further, remember that root should be always be permitted to login locally via password. You risk locking yourself out of the system accidentally otherwise.