Hello!
I have privacyIDEA set up and working well. Our linux host accepts SSH keys or passwords, plus it prompts for our MFA token via privacyIDEA.
When we log in with an ssh key, we are prompted for the MFA token. This is good.
When we log in (without an ssh key), we are prompted for our password, then MFA token. For example:
ssh target-host
my-user@target-host’s password: PASSWORD_HERE
Authenticated with partial success.
MFA_Passcode: MFA_CODE_HERE
This is great!
If you mistype your MFA code, then authentication fails (it prompts again, a couple of times, before terminating the session). This is good too!
We noticed, accidentally, that if the user types their password in the MFA prompt field, the authentication succeeds! (uhhhh, it shouldn’t because that is only one factor authentication) For example:
ssh target-host
my-user@target-host’s password: PASSWORD_HERE
Authenticated with partial success.
MFA_Passcode: PASSWORD_HERE__(AGAIN)__
Seemingly, something is amiss with my PAM configuration. The non-comment lines of /etc/pam.d/sshd are:
auth sufficient pam_python.so /usr/lib/python2.7/site-packages/privacyidea_pam-2.11.dev0-py2.7.egg/privacyidea_pam.py url=https://pimfa/mfa/ nosslverify prompt=MFA_Passcode debug
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
And also there is a comment block with some explanation:
privacyidea is SUFFICIENT because we only use this stack in keyboard-interactive authentication,
and sshd_config is set up to require two factors: 1) SSH-KEY or PASSWORD and then 2) MFA code via keyboard-interactive
AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive
where: publickey == sshkey based auth
where: password == prompt user for their AD password
where: keyboard-interactive == prompt user for their MFA passcode
Can you point me in the right direction so that the MFA passcode prompt accepts only the MFA value (and not the user’s password)?