sshd + 2fa + ansible issue: how to exclude ansible user from 2fa ?

nickdsl

New Member
I want 2 factor authentication on my linux servers.
I use CentOS 7/8.

I set up 2FA using this article: https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-centos-7
2FA works fine, but i need to manage my servers using ansible from special server in my private network.

I created user "ans_user" and put it into wheel group.
My management server has 10.10.10.10 ip address.

All i want:
- all servers in my infrastructure must accept connections from 10.10.10.10 for user ans_user using only ssh-key authentication
- all server in my infrastructure must accept connections from all other ip's and all users using ssh-key + only time passwords (2FA) (for example: google-authenticator)

I tried to solve my problem using:

Match User ans_user Address 10.10.10.10
AuthenticationMethods publickey
PasswordAuthentication no
PubkeyAuthentication yes

in my sshd_config file.

What i've got:
2FA not working, all users authenticate only ssh-keys.


Could you help me to solve my problem?
Is it possible?

Thank you.
 


nickdsl

New Member
I used this way:

set up additional sshd on the same host.

First sshd listen 22/tcp port and accept all users using ssh-key + google-authenticator (the most secure).
Second sshd listen 22522/tcp port and accept only [email protected] using ssh-key only.
I tested this configuration from several hosts (public and private), several users (with ssh-key and without). All works as a want.

But i think it's not the best way to solve my problem.
Two ssh daemons it's ugly solution :)

But i don't know how to solve my problem another way, yet.

If you have any ideas write here, please ;)


-----------
UPD 20200206.
Yeah! I did it!

My two key mistakes:
1) i have to pay more attention reading manuals :confused:
2) i thought like Python programmer when i read sshd_config file :eek::p

I set up my sshd using information from this article
Bash:
cat /etc/pam.d/sshd

#%PAM-1.0
#auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin
-session   optional     pam_reauthorize.so prepare
auth       required     pam_google_authenticator.so
MY OLD SSHD CONFIG:
Bash:
/etc/ssh/sshd_config

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV

PermitRootLogin no

AuthorizedKeysFile      .ssh/authorized_keys

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication yes

GSSAPIAuthentication no
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

PrintMotd no

UseDNS no

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Match User ans_user Address 10.10.10.10
        AuthenticationMethods publickey

Match User ans_user Address 127.0.0.1
        AuthenticationMethods publickey

Match Address *,!10.10.10.10,!127.0.0.1
        DenyUsers ans_user
        AuthenticationMethods publickey,keyboard-interactive

ClientAliveInterval 120
ClientAliveCountMax 2
AuthenticationMethods publickey,keyboard-interactive
Last 3 lines according the article step 3 i put at the bottom. I thought that it not related with last Match construction but i was wrong! (i thought like Python programmer).
If last Match return False then last three lines not applicable! (That small thing made me crazy o_O)

My working solution:
Bash:
cat /etc/ssh/sshd_config

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV

PermitRootLogin no

AuthorizedKeysFile      .ssh/authorized_keys

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication yes

GSSAPIAuthentication no
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

PrintMotd no

UseDNS no

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server

ClientAliveInterval 120
ClientAliveCountMax 2
AuthenticationMethods publickey,keyboard-interactive

Match User ans_user Address 10.10.10.10
        AuthenticationMethods publickey

Match User ans_user Address 127.0.0.1
        AuthenticationMethods publickey

Match Address *,!10.10.10.10,!127.0.0.1
        DenyUsers ans_user
        AuthenticationMethods publickey,keyboard-interactive
All work as i want and without second ssh daemon! I happy :)

Thanks everyone. I hope it was interesting for someone.
 
Last edited:





Top