All of my servers are setup with 2FA authentication. I recently have been testing Cluster Control and ran into a small problem.
Setup: USER is setup with publickey and passwordless sudo access on cmon and nodes. I can open a terminal and ssh from CMON into the node without a problem. Does not even mention the need for the TOPT key (aka keyboard-interactive). However, the the CMON GUI when I add a node, it returns with the following error:
SSH authentication failed. libssh auth error: Access denied for 'publickey'. Authentication that can continue: keyboard-interactive (USER, key=/home/USER/.ssh/id_rsa) Verify SSH hostname and key, authentication failed.
As you can see the GUI is detecting the keyboard-interactive message. in my pam.d/sshd config file I have added the nullok variable to it. And it does work, as the USER account has never had the TOPT generator run on the user, and the user can log into the node with the publickey only from the SSH terminal.
I was already unhappy with the idea of needing to use nullok to bypass the 2FA authentication on my database servers (it pretty much means you do not have 2FA protection if somehow a new user got created on the system and 2fa was never added).
The work around to not having to use nullok is as follows:
in the /etc/ssh/sshd_config file (I am using CentOS 8) add this at last line:
Match Address X.X.X.X
AuthenticationMethods publickey,password publickey
And restart the sshd service. Now you will be able to keep 2FA in full force and still allow the sudoed USER to get in with the publickey, and further restricting access from just CMON.
Please sign in to leave a comment.