SSH examples that use IBM Verify for Two-Factor Authentication (2FA)

You can use IBM® Verify two-factor authentication capabilities to augment your SSH authentication.

Adding Verify 2FA to Linux® SSH

As an example, take SSH authentication on RHEL 7 and add Verify 2FA through a choice of all 2FAs that are available to the Verify user.

This authentication is in addition to the local UNIX™ password login. Choose the Verify username that you want to use for 2FA login, such as user@us.ibm.com. Subscribe the user to the required 2FA for testing.

Note: The subscription process is outside the scope of this document.

The file /etc/pam.d/sshd controls the SSH authentication. It uses a common include file for the authentication /etc/pam.d/password-auth.
- To avoid disturbing all processes that use the common include file, make a copy of /etc/pam.d/passsword-auth to /etc/pam.d/civ-password-auth so that it can be modified safely.
- Edit /etc/pam.d/sshd to include the copied file civ-password-auth, instead of password-auth.
- Edit civ-password-auth and change the following line. Change
```
auth        sufficient    pam_unix.so nullok try_first_pass
```
  to
```
auth        requisite     pam_unix.so nullok try_first_pass
auth        sufficient    pam_ibm_auth.so auth_method=choice-then-otp 
```
Ensure that /etc/pam_ibm_auth.json is set up correctly to communicate to the Verify server.
Edit /etc/ssh/sshd_config. Ensure that “UsePAM yes” is set and set “ChallengeResponseAuthentication yes” to allow the user 2FA interaction with the Verify PAM module.
Select a UNIX user to test SSH and edit their GECOS value to your Verify username. See usermod or chin.
Restart sshd to ensure that it uses the updated configuration options.
SSH to the test user to see the 2FA take effect.

Add centralized password and 2FA authentication to AIX® SSH login.

The OS user, pamuser, is mapped to Verify tenant Cloud Directory user, isvuser, for authentication. The Verify user must have relevant 2FA methods configured. After the following is setup, the user pamuser name and isvuser password + 2FA is used to SSH into the host. The OS user password is no longer used for SSH logins.

Note: When you set up and test this option, ensure that you have an alternative method of logging in to the AIX host because you can break ssh login with a miss-configuration. You can also keep an existing ssh login when restarting the sshd server for recovery purposes.

The following files need to be modified.

Edit /etc/passwd (or use chfn) and set the GECOS value for mapping OS user to Verify user on all accounts that are going to use ssh:

From

pamuser:x:1000:1000:Pam User:/home/pamuser:/bin/bash

To

pamuser:x:1000:1000:Pam User,isvuser:/home/pamuser:/bin/bash

Edit /etc/pam_ibm_auth.json to ensure that the correct GECOS value layout is configured for OS user to Verify user mapping:

"pam-ibm-auth": {
	"additional-args": [
		...
		“auth_method=password-then-choice-then-otp”,
		"gecos_field=2”,
		“gecos_separator=,”,
		...
	]
 }

Edit the /etc/pam.conf file and add the following lines.

# Authentication
sshd    auth    required        pam_ibm_auth

# Account Management
sshd    account required        pam_aix

# Password Management
sshd    password  required      pam_aix

# Session Management
sshd    session required        pam_aix

Edit /etc/ssh/sshd_config and ensure that these lines are present with the specified values, if not present then add them.
```
ChallengeResponseAuthentication yes
UsePAM yes
```
Edit /etc/security/login.cfg and change the following line.

From

auth_type = STD_AUTH

To

auth_type = PAM_AUTH
Optional: Edit /etc/syslog.conf and add the following statement to map all information and these changes to the /var/log/messages file to record errors logged from the pam_ibm_auth module.
```
*.info /var/log/messages rotate size 1m files 8 compress
```
Optional: Restart syslogd to pick up the changes.
```
# stopsrc -s syslogd; startsrc -s syslogd
```
Restart sshd to pick up the changes
```
# stopsrc -s sshd; startsrc -s sshd
```