Cannot use 2FA due to even when it is enabled

Question

I'm trying to enable google 2FA using package fedora google-authenticator (https://github.com/google/google-authenticator-libpam). This is my /etc/ssh/sshd_config:


#       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# To modify the system-wide sshd configuration, create a  *.conf  file under
#  /etc/ssh/sshd_config.d/  which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf

# Authentication:

PermitRootLogin no

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

# override default of no subsystems
Subsystem sftp  /usr/libexec/openssh/sftp-server

ChallengeResponseAuthentication yes
PasswordAuthentication no
PubkeyAuthentication yes
KbdInteractiveAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

and this is the /etc/pam.d/sshd

#%PAM-1.0
#auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin
auth sufficient pam_google_authenticator.so

while restarting the ssh daemon, I'm getting following error:

Oct 31 21:14:10 personal systemd[1]: Starting sshd.service - OpenSSH server daemon...
░░ Subject: A start job for unit sshd.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit sshd.service has begun execution.
░░
░░ The job identifier is 8247.
Oct 31 21:14:10 personal sshd[10265]: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard-interactive"
Oct 31 21:14:10 personal sshd[10265]: AuthenticationMethods cannot be satisfied by enabled authentication methods
Oct 31 21:14:10 personal systemd[1]: sshd.service: Main process exited, code=exited, status=255/EXCEPTION
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ An ExecStart= process belonging to unit sshd.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 255.
Oct 31 21:14:10 personal systemd[1]: sshd.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit sshd.service has entered the 'failed' state with result 'exit-code'.
Oct 31 21:14:10 personal systemd[1]: Failed to start sshd.service - OpenSSH server daemon.

I have no idea why it is throwing out Disabled method "keyboard-interactive" even when it is clearly enabled. Any ideas on what might be going wrong with my configuration ?

score 2 · Accepted Answer · answered Nov 28 '22 at 16:53

Try removing your modifications in /etc/ssh/sshd_config and put the following lines in /etc/ssh/sshd_config.d/50-redhat.conf (if this file would exist):

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config

SyslogFacility AUTHPRIV

ChallengeResponseAuthentication yes

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes


ChallengeResponseAuthentication yes
PasswordAuthentication yes
PubkeyAuthentication yes
KbdInteractiveAuthentication yes
...
...

If you require PW + 2FA, then put the following line on the bottom of /etc/pam.d/sshd (perhaps you don't need not nullok, debug etc.):

auth       required     pam_google_authenticator.so nullok debug [authtok_prompt=Enter your secret token: ]

If you require only 2FA, then remark auth substack password-auth in /etc/pam.d/sshd and keep the following line on the bottom:

auth       required     pam_google_authenticator.so nullok debug [authtok_prompt=Enter your secret token: ]

In my case, this worked with SSSD-AD-Auth + Google-Authenticator-2FA in Rocky9.

score 0 · Answer 2 · answered May 12 '23 at 17:12

If the directives:

ChallengeResponseAuthentication no of KbdInteractiveAuthentication no

are anywhere, including /etc/ssh/sshd_config.d/50-redhat.conf then this may result in the Disabled method "keyboard-interactive" error message. Since OpenSSH 8.6, ChallengeResponseAuthentication is a depricated alias to KbdInteractiveAuthentication.

Cannot use 2FA due to even when it is enabled

2 Answers2