Home / ubuntu / Questions / 992483
Accepted
NerdOfLinux
Asked: 2018-01-05 21:36:27 +0800 CST

Google Authenticator SSH password or key

  • 772

I have set up libpam-google-authenticator according to https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

It works, but the problem is that I can't log in with a password, it need to be with a key. If there is no key, I get permission denied public key without even being asked for a password. How can I get it to work with a public key + two factor OR password + two factor?

ssh

1 Answers

  1. Best Answer

    I somewhat came up with a solution.

    First, create a user with no password, something like:

    sudo adduser backup --disabled-password

    then in /etc/ssh/sshd_config:

    Match User backup
    AuthenticationMethods publickey keyboard-interactive
    ForceCommand sudo login

    and at the bottom of sudo visudo:

    backup ALL=(ALL:ALL) NOPASSWD:/bin/login

    Finally, run 

    google-authenticator

    as the user backup. Or, you could copy your 

    .google_authenticator

    file to the new user.

    Now, whenever I need to login without my private key, I ssh into the user backup, enter my two-factor code, then I get the system login prompt that allows me to login to my main user.

    • 0