Multifactor authentication troubles

James Murphy james.murphy.debian at
Sat Jul 23 05:50:22 AEST 2016

I'm writing a PAM module to do authentication through Signal (as in Open
Whisper Systems) [1]. I would like to be able to offer

(Public key AND Signal) or (Password AND Signal)

for authentication. This suggests setting AuthenticationMethods to

publickey,keyboard-interactive:pam password,keyboard-interactive:pam

However, when PAM is enabled "password" means "show password prompt,
then do PAM", which is a problem because my PAM does Signal auth, not
password auth, and the above results in all login attempts failing.
Clearly sshd knows how to do password auth without PAM because it works
even when PAM is disabled, so I wonder if there is some way to request
that "password" does not use PAM even when PAM is enabled? Ideally one
could specify something like


Or another solution would be to allow multiple different PAM modules to
be called instead of requiring it all to be lumped into /etc/pam.d/sshd.
Then one could specify something like

PAMFiles /etc/pam.d/sshd*

Does this kind of functionality already exist, and if not would it be
feasible to implement?

Thank you for your help,
James Murphy


More information about the openssh-unix-dev mailing list