pam_duo 2FA && ssh-key access

Avila, Geoffrey geoffrey_avila at
Wed Jan 27 06:04:59 AEDT 2021

Hi All,

Question that has been bugging me for awhile...

We have an ssh login host we've protected with Duo's 2FA pam module. We're
allowing both password auth and ssh-keys. Problem is, those users with a
valid ssh key are instantly allowed to log in-the pam stack for the duo .so
module never gets called, and the users are never prompted for 2FA.
Is there a way to compel the execution of PAM modules before OpenSSH
completes the login process for the user? This is OpenSSH 7.4p1 on a RHEL
7.9 system btw....

Thanks a bunch!


More information about the openssh-unix-dev mailing list