MFA and PubKeys

Richard Allen ra at ra.is
Sat Nov 16 02:48:11 AEDT 2024


Hello all, 

I'm trying to get a properly working MFA solution working with our ssh servers. I have it working wonderfully well with duo until ssh keys are added to the mix. 
As I understand it, using keys results in the PAM stack not getting called and thus something like pam_duo never get's a chance to work in that scenario. 
I'm aware that I can use something like "ForceCommand /usr/sbin/login_duo" but that results in two requests unless it is removed from PAM beforehand which is not ideal as there are other services that also benefit from having MFA present in the PAM stack. 
Using ForceCommand like this is also dubious as users can still put whatever they like in their shell rc files. 

Is there a better way to properly integrate MFA into the login process when ssh keys are used? 

Thanks in advance. 
-- 
Rikki 


More information about the openssh-unix-dev mailing list