-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ask for a second factor (OTP) even if username is not valid #170
Comments
Do the logs imply that sshd calls PAM at all for nonexisting users? (I'm not sure) |
I believe that is the behavior.
There is no “monkey” username... |
Tanks so far. |
Only added this line to pam /etc/pam.d/sshd
Dont think my whole sshd config is relevant. All you need for password & OTP auth is:
|
Doesn't work for me |
I have not tested this, but the nullok module option for pam_google_authenticator.so should be the reason. |
I keep this issue "warm". I followed the Ubuntu guide on setting up TOTP 2FA SSH authentication: https://ubuntu.com/tutorials/configure-ssh-2fa#1-overview Specifically I added the line A correct login sequence then looks like:
And if either the TOTP and/or the password is wrong, both are re-prompted without giving hints towards which of them are incorrect. So far so good. However, if I try to login with a user that is not existing on the system, then there is no "Verification code" prompt, just the password prompt. This can be exploited to extract information about the usernames on the system. Maybe not a very big deal, but nevertheless slightly annoying. Such a failed attempt looks like:
if the user Is it possible to configure google-authenticator such that it always prompts for a verification code, even if the username is absent or otherwise incorrectly configured (e.g. missing |
Hi,
I am playing around with Debian 10, OpenSSH and Google Authenticator PAM module.
So far so good.
Almost everything works as expected.
I am using password and OTP.
PAM is configured to ask for OTP even if the password is not valid.
Now I found out SSHD is not going to ask for OTP if the username is not valid.
That is useful for intruders, to guess usernames, but absolutely not what i want.
I thought it would be a good idea, if the system behaves the same, and ask for OTP, no mater if the password is valid or not.
Am I wrong?
Is there a way to ask for OTP even if the user is not valid?
Thanks for your answers.
The text was updated successfully, but these errors were encountered: