Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ask for a second factor (OTP) even if username is not valid #170

Open
AloisHofstaetter opened this issue May 31, 2020 · 7 comments
Open
Labels

Comments

@AloisHofstaetter
Copy link

Hi,

I am playing around with Debian 10, OpenSSH and Google Authenticator PAM module.
So far so good.
Almost everything works as expected.
I am using password and OTP.
PAM is configured to ask for OTP even if the password is not valid.
Now I found out SSHD is not going to ask for OTP if the username is not valid.
That is useful for intruders, to guess usernames, but absolutely not what i want.

I thought it would be a good idea, if the system behaves the same, and ask for OTP, no mater if the password is valid or not.
Am I wrong?
Is there a way to ask for OTP even if the user is not valid?

Thanks for your answers.

@ThomasHabets
Copy link
Collaborator

Do the logs imply that sshd calls PAM at all for nonexisting users?

(I'm not sure)

@davama
Copy link

davama commented May 31, 2020

I believe that is the behavior.
At least thats what i get


/usr/bin/ssh -l monkey -4 server                                              
Password:                                                                       
Your secret token: 816474                                                       
Password:                                                                       
Your secret token: 19287443                                                     
Received disconnect from 10.X.x.x port 22:2: Too many authentication failure
s                                                                               
Disconnected from 10.X.x.x port 22  

There is no “monkey” username...

@AloisHofstaetter
Copy link
Author

Tanks so far.
@davama would you please share your anonymized ssh_config and pam file with me.

@davama
Copy link

davama commented Jun 2, 2020

Only added this line to pam /etc/pam.d/sshd

auth	   required	/usr/local/lib/security/pam_google_authenticator.so echo_verification_code [authtok_prompt=Your secret token: ]

Dont think my whole sshd config is relevant. All you need for password & OTP auth is:

ChallengeResponseAuthentication yes

@AloisHofstaetter
Copy link
Author

Doesn't work for me

@uwedisch
Copy link

uwedisch commented Apr 7, 2022

I have not tested this, but the nullok module option for pam_google_authenticator.so should be the reason.

@hakostra
Copy link

I keep this issue "warm". I followed the Ubuntu guide on setting up TOTP 2FA SSH authentication: https://ubuntu.com/tutorials/configure-ssh-2fa#1-overview

Specifically I added the line auth required pam_google_authenticator.so at the beginning of /etc/pam.d/sshd, in that way it will ask for the verification code before the regular password, and because the pam_google_authenticator.so is required and not requisite, it will always continue and prompt for password even if the verification code is incorrect. In this way you cannot brute-force or guess the password without the correct 2FA token.

A correct login sequence then looks like:

$ ssh validuser@hostname
Verification code: 
Password: 
Last login: Fri Oct 21 10:09:45 2022 from

And if either the TOTP and/or the password is wrong, both are re-prompted without giving hints towards which of them are incorrect. So far so good.

However, if I try to login with a user that is not existing on the system, then there is no "Verification code" prompt, just the password prompt. This can be exploited to extract information about the usernames on the system. Maybe not a very big deal, but nevertheless slightly annoying. Such a failed attempt looks like:

$ ssh banana@hostname
Password: 
Password:

if the user banana does not exist.

Is it possible to configure google-authenticator such that it always prompts for a verification code, even if the username is absent or otherwise incorrectly configured (e.g. missing .google_authenticator file)? The login in this case should obviously always fail...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants