pam_duo 2FA && ssh-key access

Avila, Geoffrey geoffrey_avila at brown.edu
Sat Jan 30 07:40:26 AEDT 2021


Hi Brian,

Thanks... setting "AuthenticationMethods
publickey,keyboard-interactive:pam" works, in that even with a valid public
key I get prompted for a password and 2FA.
I understand from the reading of the manpage that there is no
"publickey:pam" string that would allow for just a 2FA prompt if a valid
public key was presented?
I'm a little unclear as to why "password' and "keyboard-interactive" are
seen as two distinct authentication methods...

Thanks again!

On Tue, Jan 26, 2021 at 3:37 PM Brian Candler <b.candler at pobox.com> wrote:

> On 26/01/2021 20:17, Mauricio Tavares wrote:
> >        I've always thought the comma meant "if this does not work, try
> this next"
>
> Nope. From sshd_config(5):
>
>       AuthenticationMethods
>               Specifies the authentication methods that must be
> successfully completed for a user to be
>               granted access.  This option must be followed by one or
> more comma-separated lists of authen‐
>               tication method names, or by the single string any to
> indicate the default behaviour of
>               accepting any single authentication method.  If the
> default is overridden, then *successful**
> **             authentication requires completion of every method in at
> least one of these lists*.
>
>               For example, "publickey,password
> publickey,keyboard-interactive" would require the user to
>               complete public key authentication, followed by either
> password or keyboard interactive
>               authentication.  Only methods that are next in one or more
> lists are offered at each stage,
>               so for this example it would not be possible to attempt
> password or keyboard-interactive
>               authentication before public key.
>
>               For keyboard interactive authentication it is also
> possible to restrict authentication to a
>               specific device by appending a colon followed by the
> device identifier bsdauth, pam, or skey,
>               depending on the server configuration.  For example,
> "keyboard-interactive:bsdauth" would
>               restrict keyboard interactive authentication to the
> bsdauth device.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list