dave97nb
By:
dave97nb

How do I make ssh two factor authentication last for more than a few hours?

January 3, 2015 1.7k views

Hey guys , I have configured two factor authentication for ssh on my centos 7 droplet with google authenticator .

It works as expected for a few hours i.e 10 to 12 hours after which instead of asking for verification code and then password, it asks only for password.

It then refuses all connections even if we enter the right password.

I also see a lot of failed login attempts and wonder if that has anything to do with the problem.

I tried to change my ssh port to 4444 but when i try to connect to it via ssh the connection times out and so I had to change my port back to 22.

Also 2fA over ssh works normally if i manually reboot my droplet, but only for the next 10 to 12 hours.

Any help will be greatly appreciated.

Thank You

4 comments
  • I haven't run into this before. That's pretty strange behavior. Do you have SELinux enabled? Are there any message in /var/log/secure that might point us in the right direction?

  • Hi Andrew,

    Thank you for your reply.SELinux is disabled and my /var/log/secure is over 10 mb with over 94000 lines.

    Since yesterday my droplet is working well and asking for verification code.All I did was ,recreate a larger droplet from a snapshot and enabled backups.

    For now I am hoping that it keeps working well.

  • Glad to hear it's working! Let us know if the problem pops up again. Also a quick hint: with log files using tail will just show you the most recent lines. So if it happens again, after rebooting run:

    tail -n 25 /var/log/secure
    

    That will just show the last 25 line. Increase the number to see more.

  • Hi Andrew,

    Unfortunately the problem has popped up again.After my last post ,things ran smoothly for around 5 days before the problem started again.Now it has started after around 2 days.Here is the output of

    tail -n 25 /var/log/secure
    

    xxxx@crunchbang:~$ ssh root@x.x.x.x
    Password:
    Verification code:
    Password:
    Last failed login: Wed Jan 14 00:23:24 IST 2015 from 219.91.249.194 on ssh:notty
    There were 48 failed login attempts since the last successful login.
    Last login: Wed Jan 14 00:19:08 2015
    [root@postswap ~]# tail -n 25 /var/log/secure
    Jan 14 00:22:31 postswap sshd[9934]: Received disconnect from 62.210.83.224: 11: Bye Bye [preauth]
    Jan 14 00:22:36 postswap sshd(pamgoogleauthenticator)[9936]: Too many concurrent login attempts. Please try again.
    Jan 14 00:22:36 postswap sshd[9936]: pamunix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-83-224.rev.poneytelecom.eu user=root
    Jan 14 00:22:36 postswap sshd[9936]: pam
    succeedif(sshd:auth): requirement "uid >= 1000" not met by user "root"
    Jan 14 00:22:37 postswap sshd(pam
    googleauthenticator)[9938]: Too many concurrent login attempts. Please try again.
    Jan 14 00:22:37 postswap sshd[9938]: pam
    unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-83-224.rev.poneytelecom.eu user=root
    Jan 14 00:22:37 postswap sshd[9938]: pamsucceedif(sshd:auth): requirement "uid >= 1000" not met by user "root"
    Jan 14 00:22:39 postswap sshd[9936]: Failed password for root from 62.210.83.224 port 46667 ssh2
    Jan 14 00:22:39 postswap sshd[9936]: Received disconnect from 62.210.83.224: 11: Bye Bye [preauth]
    Jan 14 00:22:39 postswap sshd[9938]: Failed password for root from 62.210.83.224 port 48906 ssh2
    Jan 14 00:22:39 postswap sshd[9938]: Received disconnect from 62.210.83.224: 11: Bye Bye [preauth]
    Jan 14 00:23:21 postswap sshd[9933]: pamsucceedif(sshd:auth): requirement "uid >= 1000" not met by user "root"
    Jan 14 00:23:24 postswap sshd[9921]: error: PAM: Cannot make/remove an entry for the specified session for root from 219.91.249.194
    Jan 14 00:23:32 postswap sshd[9940]: fatal: Read from socket failed: Connection reset by peer [preauth]
    Jan 14 00:23:32 postswap sshd[9942]: Did not receive identification string from 62.210.83.224
    Jan 14 00:23:40 postswap sshd[9945]: reverse mapping checking getaddrinfo for p8p-cv-collo-3-signme3-in.trunkmobile.ru [93.174.73.212] failed - POSSIBLE BREAK-IN ATTEMPT!
    Jan 14 00:23:40 postswap sshd[9945]: Invalid user hacking from 93.174.73.212
    Jan 14 00:23:40 postswap sshd[9945]: inputuserauthrequest: invalid user hacking [preauth]
    Jan 14 00:23:40 postswap sshd(pamgoogleauthenticator)[9945]: Failed to compute location of secret file
    Jan 14 00:23:40 postswap sshd[9945]: pamunix(sshd:auth): check pass; user unknown
    Jan 14 00:23:40 postswap sshd[9945]: pam
    unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=93.174.73.212
    Jan 14 00:23:42 postswap sshd[9945]: Failed password for invalid user hacking from 93.174.73.212 port 60766 ssh2
    Jan 14 00:23:42 postswap sshd[9945]: Received disconnect from 93.174.73.212: 11: Bye Bye [preauth]
    Jan 14 00:23:54 postswap sshd[9921]: Accepted keyboard-interactive/pam for root from 219.91.249.194 port 11805 ssh2
    Jan 14 00:23:54 postswap sshd[9921]: pam_unix(sshd:session): session opened for user root by (uid=0)
    [root@postswap ~]#

    really don't know what to do...I am also getting a lot of "perf samples too long" errors in the console.I wonder if that has anything to do with it.

Be the first one to answer this question.