I have a personal server I host from home that has port 22 exposed to the world for SSH. For better or worse I also login as root. I know how much of a security risk this can pose, and started feeling it when someone started trying to brute force my server over root. Instead of closing the port and using openvpn or a remote desktop to access my network, I decided to enable google auth. To be doubly secure, I have the configuration like this:

/etc/pam.d/sshd:

\# Standard Un\*x authentication. \#@include common-auth @include google-auth

/etc/pam.d/sshd/google-auth:

auth required pam_google_authenticator.so forward_pass auth [success=1 default=ignore] pam_unix.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so

I did it this way so that I can play around without editing default files and easily revert at any time. It also lets me play around with the PAM module order a bit.

The goal is to have it request 'Password & Verification' at the same time. It works! Sorta.

login as: root Using keyboard-interactive authentication. Password & verification code: Access denied Using keyboard-interactive authentication. Password & verification code: Access denied Using keyboard-interactive authentication. Password & verification code: Access denied root@192.168.1.5's password: Access denied root@192.168.1.5's password:

So if there are 3 failed attempts at Password & verification, it kicks to just asking for the password. Entering the password by itself or the password & verification does NOT work. It always ends in failure, which is good. The bad part is that if someone is brute forcing this, it sometimes will ONLY ask for password even on the first login attempt. This locks me from the server!

At this point it is more of a curiosity than anything else. I can always close the port and resolve the problem, but I'd really like to solve this puzzle. Any thoughts?