pam_duo 2FA && ssh-key access

Brian Candler b.candler at
Wed Jan 27 07:32:22 AEDT 2021

On 26/01/2021 20:17, Mauricio Tavares wrote:
>        I've always thought the comma meant "if this does not work, try this next"

Nope. From sshd_config(5):

              Specifies the authentication methods that must be 
successfully completed for a user to be
              granted access.  This option must be followed by one or 
more comma-separated lists of authen‐
              tication method names, or by the single string any to 
indicate the default behaviour of
              accepting any single authentication method.  If the 
default is overridden, then *successful**
**             authentication requires completion of every method in at 
least one of these lists*.

              For example, "publickey,password 
publickey,keyboard-interactive" would require the user to
              complete public key authentication, followed by either 
password or keyboard interactive
              authentication.  Only methods that are next in one or more 
lists are offered at each stage,
              so for this example it would not be possible to attempt 
password or keyboard-interactive
              authentication before public key.

              For keyboard interactive authentication it is also 
possible to restrict authentication to a
              specific device by appending a colon followed by the 
device identifier bsdauth, pam, or skey,
              depending on the server configuration.  For example, 
"keyboard-interactive:bsdauth" would
              restrict keyboard interactive authentication to the 
bsdauth device.

More information about the openssh-unix-dev mailing list