SSH + PAM + two-factor authentication
 

I have SSH being two-factored at the moment using PAM Radius.

So, at the moment, if someone SSH's to my server, they'll be asked for a username and password (as usual). Upon successfully entering the correct credentials, they will receive a phone call (the two factor part) and will have to input a PIN for verification. After they put the PIN in the phone and press #, they get authenticated and are now on the server via SSH. All of this works great.

My server receive many unsuccessfull login attempts every day by random IP addresses from overseas. To prevent anyone from ever being able to login via SSH I put my two-factor in place. Now the thing is, I personally don't want two-factored every time I attempt to ssh to my own server.

This is what I want to accomplish:

If I SSH to my server from an IP address that I've never SSH'ed from before, I want it to accept my username and password, then two-factor me. After this, I want the IP address I connected from to be whitelisted so that I do not get two-factored any longer. So this would effectively accomplish the prevention of someone hacking into my server via SSH (because they don't have my phone, nor know my PIN), while at the same time give me the convenience of not having to be two-factored from my house, or work, or wherever I am all the time. I only want two factored 1 time per IP address, then have that IP address in a whitelist of some fashion.

So, any tips you could give me on whitelisting or helping me brainstorm some ideas for this would be greatly appreciated.

Well if you use a separate account for each function then you could fairly easily rig something up. If you watch the contents of /var/log/secure, using a standard cron job or tail, (or one of those other more specific tools I can't remember then name of right now) to watch for your "two factor" account logging in from a certain address. This address can then be stuck into your access.conf file along with your personal user account to allow that account to log in from that IP, above a default deny for that user.

Alternatively I think the pam_listfile module might allow you to reference a list of IP addresses and be restricted to your user account, letting you add that into your system-auth stack (or whatever config you use within pam) as a Sufficient (i think) option above the rest. That would probably give you an easier way to only use a single account too.

I am in the process of implementing two-factor authentication, but using a low cost USB key. You may want to check this out at http://code.google.com/p/yubico-pam/...eyAndSSHViaPAM

You can find out more about the USB key here

Confused
 

What my brain is being challenged by is this:

When you SSH to a server, you are presented with the screen to login. You type your username and password and are either logged in, or not logged in.

In the scenario that I'm trying to accomplish - users are always going to have to type a username and password (of course, that's a given). But, I want the users who have never connected from their IP address to be two-factored. They are obviously going to have to type the correct username and password to even get that far.

So, is it possible to say "okay, you typed the correct username and password, and since you haven't connected from your IP before, I now am going to pass you to my two-factor authentication method prior to you logging in completely"? Likewise ... "okay, you typed the correct username and password, and since you have connected from this IP before, you are now completely signed in to the shell".

My brain is being challenged by this, b/c the default behavior from what I understand (without two-factor), is that the username/password is checked in /etc/shadow and if correct you are signed in.

What needs to be done to see they typed the successful username/password and instead of just logging them straight in, passing something to the two-factor authentication method before logging them in?

I hope my rambling makes sense.

To add on to my rambling or maybe just simplify what I'm trying to accomplish.
1) verify username and password
2) if on whitelist, don't two-factor
3) if not on whitelist, do two-factor

The more I've thought about it, the more I think the listfile solution would suit you really well.

I am looking into this. I found this page which gives a good explanation and example: http://www.cyberciti.biz/tips/howto-...oup-login.html

If you look at the example, item=group, can you set item=IP? Then have the arbitrary file list IP addresses?

Found this:

item=[tty|user|rhost|ruser|group|shell]

What is listed in the file and should be checked for

From: http://www.kernel.org/pub/linux/libs..._listfile.html

So, according to pam_listfile you can't use item=IP ... so how could I whitelist? Unless rhost is IP ?

That's what the rhost option is for, as I read the docs.

Thanks. I'll give it a try and update here. Not sure I can test today. But, I will let you guys know soon in case anyone else comes across this.

pam_listfile with item=rhost does work if you add IP addresses / hostnames

Now I just need to figure out how to two-factor IP addresses that aren't in my file, and not two-factor IP addresses that are ... sigh

well if you put the listfile entry between the password module and the two factor module then you can end the authentication between the two if it passes.

My next question was going to be ...

in /etc/pam.d/ssh if I have a couple auth_required's ... does it process each of them? And, in order? I was thinking I could put the listifle in front of the two-factor, and was hoping it'd process the listfile first then the two factor.

Not sure I follow what you mean. In my /etc/pam.d/ssh file, under the SSH section, all I have right now is the listfile module

show us your pam config that is calling to the two-factor mobile phone thingy... presumably your password entry is done completely as normal and then a later module does this extra bit?