pam_duo 2FA && ssh-key access
Brian Candler
b.candler at pobox.com
Wed Jan 27 07:32:22 AEDT 2021
On 26/01/2021 20:17, Mauricio Tavares wrote:
> I've always thought the comma meant "if this does not work, try this next"
Nope. From sshd_config(5):
AuthenticationMethods
Specifies the authentication methods that must be
successfully completed for a user to be
granted access. This option must be followed by one or
more comma-separated lists of authen‐
tication method names, or by the single string any to
indicate the default behaviour of
accepting any single authentication method. If the
default is overridden, then *successful**
** authentication requires completion of every method in at
least one of these lists*.
For example, "publickey,password
publickey,keyboard-interactive" would require the user to
complete public key authentication, followed by either
password or keyboard interactive
authentication. Only methods that are next in one or more
lists are offered at each stage,
so for this example it would not be possible to attempt
password or keyboard-interactive
authentication before public key.
For keyboard interactive authentication it is also
possible to restrict authentication to a
specific device by appending a colon followed by the
device identifier bsdauth, pam, or skey,
depending on the server configuration. For example,
"keyboard-interactive:bsdauth" would
restrict keyboard interactive authentication to the
bsdauth device.
More information about the openssh-unix-dev
mailing list