After some reasearch, I can see that TrueNAS is using the oath pam module.
I followed the instructions
here and setup oath for su and tested the /etc/users.oath file that TrueNAS created:
Code:
root@SERVERNAME:~# nano /etc/pam.d/su
root@SERVERNAME:~# head -n 1 /etc/pam.d/su
auth [user_unknown=ignore success=ok] pam_oath.so debug usersfile=/etc/users.oath window=20
root@SERVERNAME:~# su
[../../pam_oath/pam_oath.c:parse_cfg(118)] called.
[../../pam_oath/pam_oath.c:parse_cfg(119)] flags 0 argc 3
[../../pam_oath/pam_oath.c:parse_cfg(121)] argv[0]=debug
[../../pam_oath/pam_oath.c:parse_cfg(121)] argv[1]=usersfile=/etc/users.oath
[../../pam_oath/pam_oath.c:parse_cfg(121)] argv[2]=window=20
[../../pam_oath/pam_oath.c:parse_cfg(122)] debug=1
[../../pam_oath/pam_oath.c:parse_cfg(123)] alwaysok=0
[../../pam_oath/pam_oath.c:parse_cfg(124)] try_first_pass=0
[../../pam_oath/pam_oath.c:parse_cfg(125)] use_first_pass=0
[../../pam_oath/pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
[../../pam_oath/pam_oath.c:parse_cfg(127)] digits=0
[../../pam_oath/pam_oath.c:parse_cfg(128)] window=20
[../../pam_oath/pam_oath.c:pam_sm_authenticate(165)] get user returned: root
[../../pam_oath/pam_oath.c:pam_sm_authenticate(175)] authenticate first pass rc -2 (OATH_INVALID_DIGITS: Unsupported number of OTP digits) last otp Thu Jan 1 01:02:56 1970
One-time password (OATH) for `root':
[../../pam_oath/pam_oath.c:pam_sm_authenticate(258)] conv returned: 713246
[../../pam_oath/pam_oath.c:pam_sm_authenticate(322)] OTP: 713246
[../../pam_oath/pam_oath.c:pam_sm_authenticate(330)] authenticate rc 0 (OATH_OK: Successful return) last otp Thu Jan 1 01:00:23 1970
[../../pam_oath/pam_oath.c:pam_sm_authenticate(353)] done. [Success]
root@SERVERNAME:~# exit
exit
I then reverted the config of /etc/pam.d/su
This confirms that my OATH setup is valid.
I set the following additional parameters to the SSH service in TrueNAS webui:
Code:
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
And did the following to /etc/pam.d/sshd (as advised
here):
Code:
# sed -i 's/^@include common-auth/#@include common-auth/' /etc/pam.d/sshd; systemctl restart sshd
Which finally prompts me to use 2FA with publickey auth:
Code:
users-MacBook-Pro:~ user$ ssh root@SERVERNAME
Enter passphrase for key '/Users/user/.ssh/id_rsa':
(root@SERVERNAME) One-time password (OATH) for `root':
(root@SERVERNAME) One-time password (OATH) for `root':
(root@SERVERNAME) One-time password (OATH) for `root':
root@SERVERNAME: Permission denied (keyboard-interactive).
However, even though I already proved that the oath pam module works correctly with my /etc/users.oath configuration, no matter how many times I supply a valid token for SSH it
does not work!