SSH authentication: (public key xor password) + google authenticator code

Karol

5/7/23, 1:14 PM

I'm using Debian bullseye. I'm trying to set up SSH two types logins:

password + code from Google's Authenticator (if user set it, "nullok" option),
public key + code from Google's Authenticator (if user set it, "nullok" option).

Type #1 works for me. In type #2 I have public key + password (not public key passphrase) + code from GA. I added this line to /etc/ssh/sshd_config

AuthenticationMethods publickey,keyboard-interactive keyboard-interactive

I'd like to user won't be prompted for password if key was supplied. Precisely, how to bypass pam_unix.so demand if public key was provided?

Is there any way to accomplish what I want on one machine? Thanks in advance.

0 + 0

debian

ssh

pam

google-authenticator

two-factor-authentication

Erhard Czving

5/7/23, 2:19 PM

The type #2 explanation is not clear to me. It sounds like the SSH key has a passphrase set or what password do you mean? Do you have a custom SSH or PAM config that requires a password even after a successful SSH auth?

Karol

5/7/23, 2:32 PM

Thanks. I edited my question and I added some info for clarification.

Score:0

Server

Karol

5/7/23, 8:20 PM

Probably I solved it.

CERN's PAM_2FA project contains minor pam module: pam_ssh_user_auth.so. This module can tell PAM if there was any previously successful sshd authentications like public key (PAM_SUCCESS). So I made following changes in:

/etc/ssh/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication yes 
UsePAM yes 
AuthenticationMethods keyboard-interactive:pam publickey,keyboard-interactive:pam

/etc/pam.d/sshd:

auth    [success=2 ignore=ignore default=die]   pam_ssh_user_auth.so
auth    [success=1 default=ignore]      pam_unix.so nullok
auth    requisite                       pam_deny.so
auth    [success=ok ignore=ignore default=bad]        pam_google_authenticator.so nullok
auth    required        pam_permit.so

It allows to skip prompt for password when public key was given.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SSH authentication: (public key xor password) + google authenticator code

TH: การรับรองความถูกต้อง SSH: (รหัสสาธารณะ xor รหัสผ่าน) + รหัสตัวตรวจสอบความถูกต้องของ Google

RO: Autentificare SSH: (cheie publică sau parolă) + cod de autentificare Google

RU: Аутентификация SSH: (открытый ключ xor пароль) + код аутентификатора Google

VI: Xác thực SSH: (mật khẩu xor khóa công khai) + mã xác thực google

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.