Multiple PAM stacks for multi-factor auth
James Wilson
jwilson556 at gmail.com
Sat Mar 28 05:44:00 AEDT 2015
I'd like to permit authentication by either public key followed by
second factor, OR password followed by second factor. It seems the sshd
configuration ought to be:
UsePam yes
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
password,keyboard-interactive
For most purposes, "UsePam yes" makes password and keyboard-interactive
do the same thing - run the auth stack in sshd's PAM config. Thus the
second choice in AuthenticationMethods is repeating the same policy,
where what I want is to do a password check via pam_unix, and then run
the 2nd-factor module. I can combine the checks in /etc/pam.d/sshd to
make it work and then use a single "keyboard-interactive" method
auth requisite pam_unix.so
auth required pam_duo/yubico/google_authenticator/etc.so
but now the "publickey,keyboard-interactive" method requires public key,
then password, then 2nd factor, and I haven't found a solution. I
searched and found the Fedora encountered a similar problem and chose to
add handling multiple PAM stacks. The discussion in
http://fedoraproject.org/wiki/Features/MultiplePAMStacksInGDM is
informative. Can OpenSSH add a way to run different rule sets in the
syntax of AuthenticationMethods to make these configurations possible?
More information about the openssh-unix-dev
mailing list