Setting up Google Authenticator for SSH

tgrcdev · December 15, 2023, 10:34pm

I’m trying to set up two factor authentication using Google Authenticator for SSH. In the NixOS options there is the security.pam.services.<name>.googleAuthenticator.enable option, which allegedly reads from ~/.google_authenticator. I’ve tried setting this up for sshd and openssh, but neither prompts 2FA during login. Enabling it for openssh links a file in /etc/static/pam.d/openssh which has

auth required /nix/store/6kk30d0jnad77520i4c08x5qmpvdraxw-google-authenticator-libpam-1.09/lib/security/pam_google_authenticator.so no_increment_hotp # google_authenticator (order 12500)

but this does not take effect, even after restarting sshd.service. Enabling it for sshd does not put the authenticator module in /etc/static/pam.d/sshd.

OpenSSH is defined in my configuration.nix as follows:

services.openssh = {
  enable = true;
  ports = [ 6229 ];
  settings = {
    PermitRootLogin = "no";
    AllowUsers = [ "tgrcdev" ];
    PasswordAuthentication = false;
  };
};

Sandro · December 16, 2023, 10:39pm

Did you check the log of the ssh server (journalctl -u sshd -e)? What does it tell? What do guides on the internet tell you to configure? Are there more steps that are missing?

tgrcdev · December 17, 2023, 7:13pm

These lines are printed upon SSH login (some information removed for brevity/privacy)

Dec 17 18:47:54 <host> sshd[517463]: Connection from <client ip> port 35240 on <server ip> port 6229 rdomain ""
Dec 17 18:47:56 <host> sshd[517463]: Accepted key <pubkey> found at /etc/ssh/authorized_keys.d/tgrcdev:2
Dec 17 18:47:56 <host> sshd[517463]: Postponed publickey for tgrcdev from <client ip> port 35240 ssh2 [preauth]
Dec 17 18:47:56 <host> sshd[517463]: Accepted key <pubkey> found at /etc/ssh/authorized_keys.d/tgrcdev:2
Dec 17 18:47:56 <host> sshd[517463]: Accepted publickey for tgrcdev from <client ip> port 35240 ssh2: <pubkey>
Dec 17 18:47:56 <host> sshd[517463]: pam_unix(sshd:session): session opened for user tgrcdev(uid=1000) by (uid=0)
Dec 17 18:47:56 <host> sshd[517463]: User child is on pid 517475

From what I can tell, it uses the /etc/static/pam.d/sshd config, which does not contain the google authenticator module.

The only thing I can find online is the related issue.
https://github.com/NixOS/nixpkgs/issues/115044

One workaround given is to add security.pam.services.sshd.unixAuth = lib.mkForce true. This enables the verification code, but also enables password authentication, which I do not want enabled. It also does not prompt for a code when a private key is provided.

My ideal setup is pubkey authentication, and a verification code if I’m signing in from outside of my house network, but I’m not sure how much of this is possible with Nix’s packages at this time.

tgrcdev · December 18, 2023, 9:02am

I found the lines that determine what ends up in the pam.d configuration files

github.com

NixOS/nixpkgs/blob/057f9aecfb71c4437d2b27d3323df7f93c010b7e/nixos/modules/security/pam.nix#L689-L739


      
          # Modules in this block require having the password set in PAM_AUTHTOK.
          # pam_unix is marked as 'sufficient' on NixOS which means nothing will run
          # after it succeeds. Certain modules need to run after pam_unix
          # prompts the user for password so we run it once with 'optional' at an
          # earlier point and it will run again with 'sufficient' further down.
          # We use try_first_pass the second time to avoid prompting password twice.
          #
          # The same principle applies to systemd-homed
          (optionals ((cfg.unixAuth || config.services.homed.enable) &&
            (config.security.pam.enableEcryptfs
              || config.security.pam.enableFscrypt
              || cfg.pamMount
              || cfg.enableKwallet
              || cfg.enableGnomeKeyring
              || cfg.googleAuthenticator.enable
              || cfg.gnupg.enable
              || cfg.failDelay.enable
              || cfg.duoSecurity.enable
              || cfg.zfs))
            [

This file has been truncated. show original

The specific lines for googleAuthenticator lie here:

github.com

NixOS/nixpkgs/blob/057f9aecfb71c4437d2b27d3323df7f93c010b7e/nixos/modules/security/pam.nix#L735-L736


      
          { name = "google_authenticator"; enable = cfg.googleAuthenticator.enable; control = "required"; modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so"; settings = {
            no_increment_hotp = true;

This explains why cfg.unixAuth would enable the authenticator codes, but I don’t yet understand why cfg.googleAuthenticator.enable falls under this large if-statement.

When googleAuthenticator is enabled for both openssh and sshd, here are what the respective pam.d configs look like for openssh:

# /etc/static/pam.d/openssh

# Account management.
account required pam_unix.so # unix (order 10900)

# Authentication management.
auth optional pam_unix.so likeauth # unix-early (order 11600)
auth required /nix/store/6kk30d0jnad77520i4c08x5qmpvdraxw-google-authenticator-libpam-1.09/lib/security/pam_google_authenticator.so no_increment_hotp # google_authenticator (order 12500)
auth sufficient pam_unix.so likeauth try_first_pass # unix (order 12800)
auth required pam_deny.so # deny (order 13600)

# Password management.
password sufficient pam_unix.so nullok yescrypt # unix (order 10200)

# Session management.
session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
session required pam_unix.so # unix (order 10200)

and sshd:

# /etc/static/pam.d/sshd

# Account management.
account required pam_unix.so # unix (order 10900)

# Authentication management.
auth required pam_deny.so # deny (order 12400)

# Password management.
password sufficient pam_unix.so nullok yescrypt # unix (order 10200)

# Session management.
session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
session required pam_unix.so # unix (order 10200)
session required pam_loginuid.so # loginuid (order 10300)
session optional /nix/store/i0sdqs34r68if9s4sfmpixnnj36npiwj-systemd-254.6/lib/security/pam_systemd.so # systemd (order 12000)

So, for some reason, openssh has cfg.unixAuth = true, which allows it to insert the googleAuthenticator module in the pam.d file. Why this is, I have no idea, as that is not set in my configuration.nix. (EDIT: This is maybe because i have services.openssh.settings.PasswordAuthentication = false, but why would that put the module in openssh and not sshd?)

adrian-gierakowski · January 22, 2024, 4:38pm

have you managed to solve this?

tgrcdev · February 9, 2024, 9:06am

Sorry for not responding. I never solved this, instead I just accepted using SSH without two-factor. I don’t feel confident enough in my knowledge of PAM to submit a patch.

burningblue · February 28, 2024, 12:22pm

I got Google Authenticator to work for SSH. I did not try with SSH key. I’ll try that later.

#configuration.nix
     packages = with pkgs; [
       google-authenticator
     ];
    services = {
        openssh = {
          enable = true;
          settings ={
            PasswordAuthentication = true;
            PermitRootLogin = "no";
            KbdInteractiveAuthentication = true;
          };
        };
    };
  security.pam = {
    services.sshd.googleAuthenticator.enable = true;
  };