Hello all, So I've been reading up on configuring a CentOS 7 machine for 2 factor authentication for SSH, using pam_oath and the FreeOTP phone app, plus local usernames/password for the two factors. I've read various online articles, and all seem to follow the basic instructions listed in the following articles:
https://wiki.archlinux.org/index.php/Pam_oath https://jonarcher.info/2015/07/hardening-ssh-with-otp-for-2-factor-authentication/ https://www.brianlane.com/post/setup-oath-ssh-login-on-fedora/ Before I do this on my main CentOS machine, I spun up a VirtualBox VM for testing, and did a minimum CentOS 7 install. I followed the instructions, and I get prompted for "One-time password (OATH)" credentials, but I noticed that I can input any alphanumeric string that's 6 characters or less for the OATH password, and it will then prompt me for my local username/password. And as long as I enter the local password correctly, I'm granted shell access. Here are the steps I followed after the initial minimal CentOS 7 install (CentOS Linux release 7.7.1908 (Core)): 1) Install packages --- yum update && yum upgrade yum install epel-release yum install pam_oath oathtool gen-oath-safe --- 2) edit /etc/pam.d/sshd, and added the following line as the first non-commented line: --- auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6 --- So first few lines of the /etc/pam.d/sshd look like this before: --- #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions --- And after: --- #%PAM-1.0 auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6 auth required pam_sepermit.so auth substack password-auth auth include postlogin --- 3) generate keys for my local account: --- gen-oath-safe jdoe hotp --- 4) Add key to FreeOTP app on phone via QR code 5) Add the hex code to /etc/liboath/users.oath: --- HOTP jdoe - REDACTED --- 6) edit the /etc/ssh/sshd_config file and make sure the following settings are in place: --- UsePAM yes ChallengeResponseAuthentication yes PasswordAuthentication yes --- 7) set SELinux permissions on /etc/liboath: --- semanage fcontext -a -t systemd_passwd_var_run_t '/etc/liboath(/.*)?' restorecon -rv /etc/liboath/ --- 8) Restart SSH: --- systemctl restart sshd --- So when I SSH into this host, and enter any string 6 characters or less, I'm let through to login with the local password: --- login as: jdoe Keyboard-interactive authentication prompts from server: One-time password (OATH) for `jdoe': Password: End of keyboard-interactive prompts from server Last login: Sun Mar 22 18:03:08 2020 from 192.168.1.240 [jdoe@pkcentos7 ~] --- If I enter a string 7 characters or more for the OATH password, the following occurs: --- login as: jdoe Keyboard-interactive authentication prompts from server: One-time password (OATH) for `jdoe': End of keyboard-interactive prompts from server Access denied Keyboard-interactive authentication prompts from server: One-time password (OATH) for `jdoe': End of keyboard-interactive prompts from server Access denied Keyboard-interactive authentication prompts from server: One-time password (OATH) for `jdoe': --- I've looked through various other articles returned from Google searches, and I don't clearly see a step or setting I'm missing. Any help on this would be greatly appreciated. Thanks in advance, and if any additional information is needed, please let me know. Paul
