Score:1

SSH authentication: (public key xor password) + google authenticator code

bd flag

I'm using Debian bullseye. I'm trying to set up SSH two types logins:

  1. password + code from Google's Authenticator (if user set it, "nullok" option),
  2. public key + code from Google's Authenticator (if user set it, "nullok" option).

Type #1 works for me. In type #2 I have public key + password (not public key passphrase) + code from GA. I added this line to /etc/ssh/sshd_config

AuthenticationMethods publickey,keyboard-interactive keyboard-interactive

I'd like to user won't be prompted for password if key was supplied. Precisely, how to bypass pam_unix.so demand if public key was provided?

Is there any way to accomplish what I want on one machine? Thanks in advance.

Erhard Czving avatar
mw flag
The type #2 explanation is not clear to me. It sounds like the SSH key has a passphrase set or what password do you mean? Do you have a custom SSH or PAM config that requires a password even after a successful SSH auth?
Karol avatar
bd flag
Thanks. I edited my question and I added some info for clarification.
Score:0
bd flag

Probably I solved it.

CERN's PAM_2FA project contains minor pam module: pam_ssh_user_auth.so. This module can tell PAM if there was any previously successful sshd authentications like public key (PAM_SUCCESS). So I made following changes in:

/etc/ssh/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication yes 
UsePAM yes 
AuthenticationMethods keyboard-interactive:pam publickey,keyboard-interactive:pam

/etc/pam.d/sshd:

auth    [success=2 ignore=ignore default=die]   pam_ssh_user_auth.so
auth    [success=1 default=ignore]      pam_unix.so nullok
auth    requisite                       pam_deny.so
auth    [success=ok ignore=ignore default=bad]        pam_google_authenticator.so nullok
auth    required        pam_permit.so

It allows to skip prompt for password when public key was given.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.