Home / server / Questions / 1089307
Accepted
Karol
Asked: 2022-01-08 05:14:24 +0800 CST

SSH authentication: (public key xor password) + google authenticator code

  • 772

I'm using Debian bullseye. I'm trying to set up SSH two types logins:

  1. password + code from Google's Authenticator (if user set it, "nullok" option),
  2. public key + code from Google's Authenticator (if user set it, "nullok" option).

Type #1 works for me. In type #2 I have public key + password (not public key passphrase) + code from GA. I added this line to /etc/ssh/sshd_config

AuthenticationMethods publickey,keyboard-interactive keyboard-interactive

I'd like to user won't be prompted for password if key was supplied. Precisely, how to bypass pam_unix.so demand if public key was provided?

Is there any way to accomplish what I want on one machine? Thanks in advance.

debian ssh pam google-authenticator two-factor-authentication

1 Answers

  1. Best Answer

    Probably I solved it.

    CERN's PAM_2FA project contains minor pam module: pam_ssh_user_auth.so. This module can tell PAM if there was any previously successful sshd authentications like public key (PAM_SUCCESS). So I made following changes in:

    /etc/ssh/sshd_config:

    PasswordAuthentication no
ChallengeResponseAuthentication yes 
UsePAM yes 
AuthenticationMethods keyboard-interactive:pam publickey,keyboard-interactive:pam

    /etc/pam.d/sshd:

    auth    [success=2 ignore=ignore default=die]   pam_ssh_user_auth.so
auth    [success=1 default=ignore]      pam_unix.so nullok
auth    requisite                       pam_deny.so
auth    [success=ok ignore=ignore default=bad]        pam_google_authenticator.so nullok
auth    required        pam_permit.so

    It allows to skip prompt for password when public key was given.

    • 0