Closed darima001 closed 5 years ago
/etc/pam.d/common-auth
presumably uses pam_unix
, so yeah if you don't want to use passwords then you can't include common-auth
.
And no, that's the way to get pubkey+OTP.
We got answer to our question on libpam. Our solution is the correct one.
Darima
On 19 Mar 2019, at 14:56, Thomas Habets notifications@github.com<mailto:notifications@github.com> wrote:
Closed #124https://github.com/google/google-authenticator-libpam/issues/124.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/google/google-authenticator-libpam/issues/124#event-2213879966, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Arb2QfVNTpAQf7cev7OCeMdvj1kjgfx_ks5vYPqRgaJpZM4boW6r.
Great!
Sorry for the late reply. I was on vacation.
I am setting up 2FA password-free ssh login to a Ubuntu 18.04 server. The goal is to use as two factors: a) SSH public key and b) googe-authenticator's one-time password.
Unfortunately, SSH prompts me for password unless I disable common-auth in /etc/pam.d/ssh. Setting ChallengeResponseAuthentication to no, causes the failure to start sshd.service. For the details of my setup see below.
My questions are:
Thank you for your time!
My setup:
Command used for installation: sudo apt-get install libpam-google-authenticator
Edit /etc/pam.d/sshd:
@include common-auth
Edit /etc/ssh/sshd_config: PasswordAuthentication no ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive