pam_duo 2FA && ssh-key access

Brian Candler b.candler at
Wed Jan 27 06:45:23 AEDT 2021

On 26/01/2021 19:04, Avila, Geoffrey wrote:
> We have an ssh login host we've protected with Duo's 2FA pam module. We're
> allowing both password auth and ssh-keys. Problem is, those users with a
> valid ssh key are instantly allowed to log in-the pam stack for the duo .so
> module never gets called, and the users are never prompted for 2FA.
> Is there a way to compel the execution of PAM modules before OpenSSH
> completes the login process for the user?

I use the following (with Yubikey PAM module for 2FA):

# Policy for authentication: require both pubkey *and* PAM
AuthenticationMethods publickey,keyboard-interactive:pam

# From local and VPN addresses, 2FA not required
Match Address,
AuthenticationMethods publickey

More information about the openssh-unix-dev mailing list