pam_duo 2FA && ssh-key access

Brian Candler b.candler at
Sat Jan 30 09:14:50 AEDT 2021

On 29/01/2021 20:40, Avila, Geoffrey wrote:
> I understand from the reading of the manpage that there is no
> "publickey:pam" string that would allow for just a 2FA prompt if a valid
> public key was presented?

I'm sorry, but I don't understand what you're asking.  The config you 
have asks for a public key auth first, and then asks for a PAM auth, and 
lets the user in if both succeed.  What do you want to happen instead?

> I'm a little unclear as to why "password' and "keyboard-interactive" are
> seen as two distinct authentication methods...

Because they are two different authentication mechanisms in the SSH 
protocol itself (RFC 4252, RFC 4256).

As I understand it, password is just a password, whereas 
keyboard-interactive allows for prompt-response-prompt-response-... (so 
for example, can be used for challenge-response tokens).  The PAM API 
also works works in a prompt-response manner, via the conversation 



More information about the openssh-unix-dev mailing list