2FA SSH with key auth

[cub1t]

Am I correct in understanding that to enable 'Two-Factor Auth for SSH' you must enable password auth for root?!

This seems insane.

The docs say that you must do this:
System > 2FA > Enable Two-Factor Auth for SSH
Services > SSH > Set Log in as Root with Password

Can anyone confirm if this is mandatory and if so, recommend a solution for ssh auth that uses keys (wireguard/pam_google_authenticator)?

 

[cub1t]

After some reasearch, I can see that TrueNAS is using the oath pam module.

I followed the instructions here and setup oath for su and tested the /etc/users.oath file that TrueNAS created:

Code:

root@SERVERNAME:~# nano /etc/pam.d/su
root@SERVERNAME:~# head -n 1 /etc/pam.d/su
auth [user_unknown=ignore success=ok] pam_oath.so debug usersfile=/etc/users.oath window=20
root@SERVERNAME:~# su
[../../pam_oath/pam_oath.c:parse_cfg(118)] called.
[../../pam_oath/pam_oath.c:parse_cfg(119)] flags 0 argc 3
[../../pam_oath/pam_oath.c:parse_cfg(121)] argv[0]=debug
[../../pam_oath/pam_oath.c:parse_cfg(121)] argv[1]=usersfile=/etc/users.oath
[../../pam_oath/pam_oath.c:parse_cfg(121)] argv[2]=window=20
[../../pam_oath/pam_oath.c:parse_cfg(122)] debug=1
[../../pam_oath/pam_oath.c:parse_cfg(123)] alwaysok=0
[../../pam_oath/pam_oath.c:parse_cfg(124)] try_first_pass=0
[../../pam_oath/pam_oath.c:parse_cfg(125)] use_first_pass=0
[../../pam_oath/pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
[../../pam_oath/pam_oath.c:parse_cfg(127)] digits=0
[../../pam_oath/pam_oath.c:parse_cfg(128)] window=20
[../../pam_oath/pam_oath.c:pam_sm_authenticate(165)] get user returned: root
[../../pam_oath/pam_oath.c:pam_sm_authenticate(175)] authenticate first pass rc -2 (OATH_INVALID_DIGITS: Unsupported number of OTP digits) last otp Thu Jan  1 01:02:56 1970

One-time password (OATH) for `root':
[../../pam_oath/pam_oath.c:pam_sm_authenticate(258)] conv returned: 713246
[../../pam_oath/pam_oath.c:pam_sm_authenticate(322)] OTP: 713246
[../../pam_oath/pam_oath.c:pam_sm_authenticate(330)] authenticate rc 0 (OATH_OK: Successful return) last otp Thu Jan  1 01:00:23 1970

[../../pam_oath/pam_oath.c:pam_sm_authenticate(353)] done. [Success]
root@SERVERNAME:~# exit
exit

I then reverted the config of /etc/pam.d/su

This confirms that my OATH setup is valid.

I set the following additional parameters to the SSH service in TrueNAS webui:

Code:

UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

And did the following to /etc/pam.d/sshd (as advised here):

Code:

# sed -i 's/^@include common-auth/#@include common-auth/' /etc/pam.d/sshd; systemctl restart sshd

Which finally prompts me to use 2FA with publickey auth:

Code:

users-MacBook-Pro:~ user$ ssh root@SERVERNAME
Enter passphrase for key '/Users/user/.ssh/id_rsa':
(root@SERVERNAME) One-time password (OATH) for `root':
(root@SERVERNAME) One-time password (OATH) for `root':
(root@SERVERNAME) One-time password (OATH) for `root':
root@SERVERNAME: Permission denied (keyboard-interactive).

However, even though I already proved that the oath pam module works correctly with my /etc/users.oath configuration, no matter how many times I supply a valid token for SSH it does not work!