Multifactor authentication troubles

Darren Tucker dtucker at
Sun Jul 24 08:53:25 AEST 2016

On Sat, Jul 23, 2016 at 5:50 AM, James Murphy
<james.murphy.debian at> wrote:
> I'm writing a PAM module to do authentication through Signal (as in Open
> Whisper Systems) [1]. I would like to be able to offer
> (Public key AND Signal) or (Password AND Signal)
> for authentication. This suggests setting AuthenticationMethods to
> publickey,keyboard-interactive:pam password,keyboard-interactive:pam
> However, when PAM is enabled "password" means "show password prompt,
> then do PAM", which is a problem because my PAM does Signal auth, not
> password auth,

The PAM conversation is whatever you configure the stack to be, not
just one of password or Signal.  For example you could have this in
your PAM ssh config:
auth required
auth requred

and as long as you're using SSH Protocol 2, it should allow multiple
conversations in a single call to pam_authenticate.  That should get
you the "password then Signal" authentication via only

> Or another solution would be to allow multiple different PAM modules to
> be called instead of requiring it all to be lumped into /etc/pam.d/sshd.

There's an open enhancement request for this:

> Then one could specify something like
> PAMFiles /etc/pam.d/sshd*
> AuthenticationMethods
> keyboard-interactive:pam:sshd-pass,keyboard-interactive:pam:sshd-signal

You can get this behaviour by putting both auth modules in the ssh
stack config as described above and that should work with the current
production code.

Getting (Public key AND Signal) or (Password AND Signal) to work is
trickier.  I can imagine 2 ways to do it, both of which require
changes not in the current production code.

1) Use the per-auth-type PAM configs as per
2) Configure the ssh-passwd stack to have just and the
ssh-kbdint stack to have just
3) Put "AuthenticationMethods password,keyboard-interactive
publickey,keyboard-interactive" into sshd_config.

sshd should offer you either of publickey or password first then
proceed to keyboard-interactive.

OR (and this one is fuzzier)

a) Use "expose authentication information to PAM" as per
b) Put "AuthenticationMethods "publickey,keyboard-interactive
keyboard-interactive" in sshd_config
c) Put both and in the PAM config and have
it somehow check for the indication that pubkey has been successful
and if found, skip pam_unix somehow.  I don't know of a way to do that
offhand though.

Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list