pam_duo 2FA && ssh-key access
Brian Candler
b.candler at pobox.com
Sat Jan 30 09:14:50 AEDT 2021
On 29/01/2021 20:40, Avila, Geoffrey wrote:
> I understand from the reading of the manpage that there is no
> "publickey:pam" string that would allow for just a 2FA prompt if a valid
> public key was presented?
I'm sorry, but I don't understand what you're asking. The config you
have asks for a public key auth first, and then asks for a PAM auth, and
lets the user in if both succeed. What do you want to happen instead?
> I'm a little unclear as to why "password' and "keyboard-interactive" are
> seen as two distinct authentication methods...
Because they are two different authentication mechanisms in the SSH
protocol itself (RFC 4252, RFC 4256).
As I understand it, password is just a password, whereas
keyboard-interactive allows for prompt-response-prompt-response-... (so
for example, can be used for challenge-response tokens). The PAM API
also works works in a prompt-response manner, via the conversation
function
<http://www.linux-pam.org/Linux-PAM-html/mwg-expected-by-module-item.html#mwg-pam_conv>.
Regards,
Brian.
More information about the openssh-unix-dev
mailing list