I recently enabled two-factor-authentication using google-authenticator on my SSH server. However I am now facing a problem:
I have a different group of users on my server which I am using for SFTP, but that group is no longer able to login since 2FA isn't set up for the users in the group. Is it possible to disable the google-authenticator module for that group? Enabling it for the users in the group is not an option because multiple users will be using this account.
PS: I use openssh-server
You can use pam_succeed_if module (see manual page) before the pam_google_authenticator to skip this part for your group:
# the other authentication methods, such as @include common-auth
auth [success=1 default=ignore] pam_succeed_if.so user ingroup group
auth required pam_google_authenticator ...
Some SFTP clients can handle 2FA. For example, I'm using 2FA with FileZilla and WinSCP and they works. Also I have setup ssh-key authentication and it works alongside of 2FA.
However your question is interesting and I made a short survey. I found this answer.
So, it is possible (and easy) to run separate ssh instances. I'm already tested it.
Make separate copies of sshd_config file.
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_pwd
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_2fa
Edit these new config files. One of the things you must change is the shh port. According to the example:
2.a) sshd_config_pwd specific lines are:
Port 1022
...
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM no
2.b) sshd_config_2fa specific lines are:
Port 2022
...
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
Open the necessary ports into the firewall. According to the example:
$ sudo ufw limit 1022
$ sudo ufw limit 2022
Run the new ssh instances:
$ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config_pwd
$ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config_2fa
That's it.
The following will make Google 2FA mandatory
for all users
except users belonging to the sudo and admin group
(meaning if a user from group sudo or admin does not have 2FA configured, it will authenticate him/her based on their public key):
File: /etc/pam.d/sshd
auth required pam_google_authenticator.so nullok
auth optional pam_succeed_if.so user ingroup sudo
auth optional pam_succeed_if.so user ingroup admin
File: /etc/ssh/sshd_config
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
ChallengeResponseAuthentication yes
Results:
| Belongs to sudo or | Has 2FA Already Setup | Authentication Result
| admin group | in ~/.google_authenticator |
----------+----------------------+-----------------------------+------------------------
User A | NO | NO | DENIED LOGIN UNTIL 2FA IS SETUP
User B | YES | NO | CAN LOGIN (PRIVATE/PUBLIC KEY USED)
User C | NO | YES | CAN LOGIN (PRIVATE/PUBLIC KEY AND 2FA USED)
User D | YES | YES | CAN LOGIN (PRIVATE/PUBLIC KEY AND 2FA USED)
According to Google Authenticator's README.md Documentation:
nullok
PAM requires at least one SUCCESS answer from a module, and nullok causes this module to say IGNORE. This means that if this option is used at least one other module must have said SUCCESS. One way to do this is to add auth required pam_permit.so to the end of the PAM config.
This makes the use of nullok here safe.
