chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/

Robert Pendell shinji at
Thu Dec 18 17:25:15 EST 2014

On Thu, Dec 18, 2014 at 12:59 AM, Damien Miller <...> wrote:
> On Wed, 17 Dec 2014, Dmt Ops wrote:
>> But when I ssh in to the machine, I still get only the pubkey auth -- never
>> get asked for the GA code, and I can login.
> Could you please post a debug log from the server?
> /path/to/sshd -ddd
> should produce one.

Based on what I've seen the reason is because SSH is handling pub-key
auth and bypasses PAM for it.  Google Authenticator however is done
via PAM so it only works for keyboard interactive logins.
Now then from what I've seen you can try to do force command instead
and use a different 2-factor provider that runs using a system
executable but that provides its own headaches.

More information about the openssh-unix-dev mailing list