Comments (19)
Thank for all your help.
It's really a great tool.
I'll be happy to put it in production when the policy will be written.
from the-bastion.
The scratch codes can help if for some reason you no longer have the TOTP app or it no longer works correctly. Each code can only be used once, however.
To disable TOTP for your account you can use the --osh selfMFAResetTOTP
command. It requires the TOTP of course, but you might want to try a scratch code there.
Once you've unlocked yourself, to be able to help you better, please describe the steps you followed to enable TOTP on your account.
from the-bastion.
Ok i tried the --osh selfMFAResetTOTP
and insert my scratch code but i did not work
Of course i tried a couple ones in the list.
I'm running Centos8 in VM. My timedate seems update.
I used the command --osh selfMFASetupTOTP
and get the result:
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
*****
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: ****..***
Enter code from app (-1 to skip): ******
Code confirmed
Your emergency scratch codes are:
*******
*******
*******
*******
*******
from the-bastion.
Did you install pamtester
?
Can you give a screenshot of the error you get when trying to login with the TOTP?
from the-bastion.
nope i did install pamtester
should it be install on the bastion?
here is the login exemple:
$ bssh --osh selfMFAResetTOTP
*------------------------------------------------------------------------------*
|THIS IS A PRIVATE COMPUTER SYSTEM, UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED.|
|ALL CONNECTIONS ARE LOGGED. IF YOU ARE NOT AUTHORIZED, DISCONNECT NOW. |
*------------------------------------------------------------------------------*
Enter passphrase for key '/home/******/.ssh/id_ed25519':
Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).
Verification code:
Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).
Verification code:
Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).
Verification code:
***@***.***.***.***: Permission denied (keyboard-interactive).
from the-bastion.
I just checked. pamtester
is install into my bastion.
from the-bastion.
There might be something wrong on the configuration of the google_authenticator PAM module on your centos machine. When there is something wrong in its config, it'll always deny authentication. Centos 8 is part of the OSes that are automatically tested on each release, including for MFA, so it should work if the configuration is ok and the proper packages are installed.
If there is the "debug" keyword on the google_authenticator pam module line in /etc/pam.d/sshd
file, you should get some diagnostic information in the system logs, that should give a hint about the problem.
from the-bastion.
There is no real equivalent of system logs in CentOs8 can you be more specific in which log it will be store.
the only line talking about google_authenticator is:
auth [success=ok new_authok_reqd=ok ignore=ignore default=bad module_unknow=ignore] pam_google_authenticator.so secret=~/.otp
I guess debug should be add here:
auth [success=ok new_authok_reqd=ok ignore=ignore default=bad module_unknow=ignore] pam_google_authenticator.so debug secret=~/.otp
from the-bastion.
Just booted a brand new CentOS 8 VM to be sure, and I can indeed get OTP to work by following the documentation (just wanted to be sure).
You are right, the "debug" keyword is to be added to the line you specified.
When you've done this, your PAM will log using your system's syslog, under the "debug" level. Here's what I get with mine:
Oct 31 22:01:54 c1bfbf5957bc sshd[2239]: Accepted key ED25519 SHA256:r0e/w4HzCzPArzE3bbqu3fSI7Sko29ODO7yjNFt08QY found at /home/joe/.ssh/authorized_keys2:1
Oct 31 22:01:54 c1bfbf5957bc sshd[2239]: Partial publickey for joe from 127.0.0.1 port 46634 ssh2: ED25519 SHA256:r0e/w4HzCzPArzE3bbqu3fSI7Sko29ODO7yjNFt08QY
Oct 31 22:01:54 c1bfbf5957bc sshd(pam_google_authenticator)[2242]: debug: start of google_authenticator for "joe"
Oct 31 22:01:54 c1bfbf5957bc sshd(pam_google_authenticator)[2242]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Oct 31 22:01:54 c1bfbf5957bc sshd(pam_google_authenticator)[2242]: debug: "/home/joe/.otp" read
Oct 31 22:01:54 c1bfbf5957bc sshd(pam_google_authenticator)[2242]: debug: shared secret in "/home/joe/.otp" processed
Oct 31 22:01:54 c1bfbf5957bc sshd(pam_google_authenticator)[2242]: debug: google_authenticator for host "127.0.0.1"
Oct 31 22:01:54 c1bfbf5957bc sshd[2239]: Postponed keyboard-interactive for joe from 127.0.0.1 port 46634 ssh2 [preauth]
Oct 31 22:02:08 c1bfbf5957bc sshd(pam_google_authenticator)[2242]: debug: no scratch code used from "/home/joe/.otp"
Oct 31 22:02:08 c1bfbf5957bc sshd(pam_google_authenticator)[2242]: Accepted google_authenticator for joe
Oct 31 22:02:08 c1bfbf5957bc sshd(pam_google_authenticator)[2242]: debug: "/home/joe/.otp" written
Oct 31 22:02:08 c1bfbf5957bc sshd(pam_google_authenticator)[2242]: debug: end of google_authenticator for "joe". Result: Success
Oct 31 22:02:08 c1bfbf5957bc sshd[2239]: Postponed keyboard-interactive/pam for joe from 127.0.0.1 port 46634 ssh2 [preauth]
Oct 31 22:02:08 c1bfbf5957bc sshd[2239]: Accepted keyboard-interactive/pam for joe from 127.0.0.1 port 46634 ssh2
The location of the file will depend on your system's syslog configuration.
On my test system I've just put up, I installed syslog-ng, and added these 2 configuration lines to get all the logs into the same file:
destination d_all { file("/var/log/all.log"); };
log { source(s_sys); destination(d_all); };
(at the end of /etc/syslog-ng/syslog-ng.conf)
from the-bastion.
ok it's a permission issue.
from the-bastion.
Indeed, it seems your user can't write to its own home directory. I suppose you fixed it successfully?
from the-bastion.
Nope. I change folder permission other than 700 the TOTP check is refuse.
from the-bastion.
How can i be sure the pam process is running under my user?
from the-bastion.
How can i be sure the pam process is running under my user?
It's running under your user when pamtester
is called, which is what the bastion does:
Line 878 in b0eaf15
You can try it manually this way, running it directly on your centos machine under your user:
su - yourusername -s /bin/bash
pamtester sshd yourusername authenticate
from the-bastion.
You can try it manually this way, running it directly on your centos machine under your user:
su - yourusername -s /bin/bash
pamtester sshd yourusername authenticate
It worked.
So i checked my home user folder is 700 and my .opt is 600
from the-bastion.
Did change selinux on your centos8 VM?
from the-bastion.
I changed selinux to permissive and it worked.
from the-bastion.
Ah! Interesting.
This isn't catched during the tests because we use Docker to test on several distro flavors, so of course SELinux doesn't apply there.
We never stumbled upon that because we use Debian in production. Falling back to permissive
is not acceptable for a security asset, so I think we'll have to take some time to write a proper SELinux policy.
from the-bastion.
pam
, called by sshd
, needs to be able to write the otp files. The following policy seems to be sufficient with our tests:
cat >the-bastion.te <<EOF
module the-bastion 1.0;
require {
type var_t;
type sshd_t;
type user_home_t;
type user_home_dir_t;
class file { create getattr rename setattr unlink open read write };
}
# needed for user TOTP (~/.totp and ~/.totp~XXXXXX temporary file)
allow sshd_t user_home_dir_t:file { create getattr rename setattr unlink open read write };
allow sshd_t user_home_t:file unlink;
# needed for root TOTP (/var/otp/root and /var/otp/root~XXXXXX temporary file)
allow sshd_t var_t:file { create getattr rename setattr unlink open read write };
EOF
checkmodule -M -m -o the-bastion.mod the-bastion.te
semodule_package -o the-bastion.pp -m the-bastion.mod
semodule -i the-bastion.pp
from the-bastion.
Related Issues (20)
- Connection to the Bastion takes many seconds HOT 2
- SCP Failure - Error 255
- master can't sync with slave HOT 1
- Arista - Add ssh key on a switch with "from" pattern HOT 1
- An alternative method to log into bastion.
- Synchronization between master and slave HOT 6
- Use a global folder for ttyrec sessions HOT 1
- SFTP plugin instead of SCP on recent OpenSSH versions HOT 2
- Login with user@domain HOT 2
- Accepting [email protected] for ingress key HOT 1
- Upgrade errors: [ERR.] <x> doesn't seem to be a valid bastion group HOT 1
- User suffix for device/network HOT 3
- pam-u2f in code or a configuration to do ? HOT 3
- Error when installing with ttyrec HOT 4
- Disable MFA verification when using an SK
- Feature Request: `*-sk` keys supporting PIV-like policies HOT 1
- [Question] disable ttyrec for SCP HOT 8
- SCP freezes wthen downloading large files: HOT 4
- Support for OIDC auth method
- Feature Request: auto accept keys
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from the-bastion.