pam_duo 2FA && ssh-key access
Avila, Geoffrey
geoffrey_avila at brown.edu
Sat Jan 30 07:40:26 AEDT 2021
Hi Brian,
Thanks... setting "AuthenticationMethods
publickey,keyboard-interactive:pam" works, in that even with a valid public
key I get prompted for a password and 2FA.
I understand from the reading of the manpage that there is no
"publickey:pam" string that would allow for just a 2FA prompt if a valid
public key was presented?
I'm a little unclear as to why "password' and "keyboard-interactive" are
seen as two distinct authentication methods...
Thanks again!
On Tue, Jan 26, 2021 at 3:37 PM Brian Candler <b.candler at pobox.com> wrote:
> On 26/01/2021 20:17, Mauricio Tavares wrote:
> > I've always thought the comma meant "if this does not work, try
> this next"
>
> Nope. From sshd_config(5):
>
> AuthenticationMethods
> Specifies the authentication methods that must be
> successfully completed for a user to be
> granted access. This option must be followed by one or
> more comma-separated lists of authen‐
> tication method names, or by the single string any to
> indicate the default behaviour of
> accepting any single authentication method. If the
> default is overridden, then *successful**
> ** authentication requires completion of every method in at
> least one of these lists*.
>
> For example, "publickey,password
> publickey,keyboard-interactive" would require the user to
> complete public key authentication, followed by either
> password or keyboard interactive
> authentication. Only methods that are next in one or more
> lists are offered at each stage,
> so for this example it would not be possible to attempt
> password or keyboard-interactive
> authentication before public key.
>
> For keyboard interactive authentication it is also
> possible to restrict authentication to a
> specific device by appending a colon followed by the
> device identifier bsdauth, pam, or skey,
> depending on the server configuration. For example,
> "keyboard-interactive:bsdauth" would
> restrict keyboard interactive authentication to the
> bsdauth device.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list