chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/

Dmt Ops opsdmt at
Thu Dec 18 12:55:49 EST 2014

I have sshd server

        sshd -V
                OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014

running on linux/64


        cat sshd_config
                PubkeyAuthentication                 yes
                PasswordAuthentication               no
                ChallengeResponseAuthentication      no
                GSSAPIAuthentication                 no
                GSSAPICleanupCredentials             no
                HostbasedAuthentication              no
                RhostsRSAAuthentication              no
                RSAAuthentication                    no

                UseLogin                             no
                PermitEmptyPasswords                 no
                UsePrivilegeSeparation               yes

I can ssh in with pubkey auth.

I want to ADD a 2nd factor authentication step; specifically Google

I installed



At shell, I exec


and create the key

I edit

        vi /etc/pam.d/sshd
        +        auth       required


        vi /etc/ssh/sshd_config
        -        ChallengeResponseAuthentication      no
        +        ChallengeResponseAuthentication      yes
        +        KbdInteractiveAuthentication         yes

and restart the daemon

        systemctl restart sshd
                Dec  7 14:05:59 server systemd[1]: Stopping OpenSSH
                Dec  7 14:05:59 server sshd[4821]: Received signal 15;
                Dec  7 14:05:59 server systemd[1]: Starting OpenSSH
                Dec  7 14:05:59 server systemd[1]: Started OpenSSH Daemon.
                Dec  7 14:05:59 server sshd[5112]: Server listening on port 22.
                Dec  7 14:05:59 server sshd[5112]: Server listening on port 22.

In the client's ssh_config I added

        User                               root
        ChallengeResponseAuthentication    yes
        PreferredAuthentications           publickey,keyboard-interactive
        ForwardX11                         yes
        ForwardX11Trusted                  yes
        Compression                        no

IIUC, now, when I login from the client to the server, I should ALWAYS be
prompted for the Google Authenticator code after a successful pubkey auth.

But when I ssh in to the machine, I still get only the pubkey auth -- never
get asked for the GA code, and I can login.

        ssh -v -l root server

                sshr_server -4v
                OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
                debug1: Reading configuration data /etc/ssh/ssh_config
                debug1: /etc/ssh/ssh_config line 89: Applying options for
                debug1: /etc/ssh/ssh_config line 147: Applying options for
                debug1: Connecting to [] port
                debug1: fd 3 clearing O_NONBLOCK
                debug1: Connection established.
                debug1: identity file /etc/ssh/ssh.desktop.rsa-cert type -1
                debug1: Enabling compatibility mode for protocol 2.0
                debug1: Local version string SSH-2.0-OpenSSH_6.7
                debug1: Remote protocol version 2.0, remote software
version OpenSSH_6.7
                debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
                debug1: SSH2_MSG_KEXINIT sent
                debug1: SSH2_MSG_KEXINIT received
                debug1: kex: server->client chacha20-poly1305 at
<implicit> none
                debug1: kex: client->server chacha20-poly1305 at
<implicit> none
                debug1: sending SSH2_MSG_KEX_ECDH_INIT
                debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
                debug1: Server host key: ED25519 2f:...
                debug1: Host '' is known and matches the
ED25519 host key.
                debug1: Found key in /etc/ssh/ssh_known_hosts:1
                debug1: SSH2_MSG_NEWKEYS sent
                debug1: expecting SSH2_MSG_NEWKEYS
                debug1: SSH2_MSG_NEWKEYS received
                debug1: SSH2_MSG_SERVICE_REQUEST sent
                debug1: SSH2_MSG_SERVICE_ACCEPT received
                debug1: Authentications that can continue:
                debug1: Next authentication method: publickey
                debug1: Offering RSA public key: /etc/ssh/ssh.desktop.rsa
                debug1: Server accepts key: pkalg ssh-rsa blen 279
                debug1: Authentication succeeded (publickey).
                Authenticated to ([]:22).
                debug1: channel 0: new [client-session]
                debug1: Requesting no-more-sessions at
                debug1: Entering interactive session.
                debug1: Requesting X11 forwarding with authentication
                debug1: Sending environment.
                debug1: Sending env LANG = en_US.UTF-8
                debug1: Sending env DISPLAY = :0

I'm not sure where to look for WHY this isn't working.

How do I get the 2nd-factor step turned on?  config change? add'l packages
required?  etc?


More information about the openssh-unix-dev mailing list