have to disable common-auth for 2FA ssh login

[darima001]

I am setting up 2FA password-free ssh login to a Ubuntu 18.04 server. The goal is to use as two factors: a) SSH public key and b) googe-authenticator's one-time password.

Unfortunately, SSH prompts me for password unless I disable common-auth in /etc/pam.d/ssh. Setting ChallengeResponseAuthentication to no, causes the failure to start sshd.service. For the details of my setup see below.

My questions are:

• Is it safe to disable '@include common-auth' in /etc/pam.d/sshd?
• Is there better way to accomplish my goal?

Thank you for your time!

My setup:

Command used for installation: sudo apt-get install libpam-google-authenticator

Edit /etc/pam.d/sshd:

@include common-auth

auth required pam_google_authenticator.so

Edit /etc/ssh/sshd_config: PasswordAuthentication no ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive

[ThomasHabets]

/etc/pam.d/common-auth presumably uses pam_unix, so yeah if you don't want to use passwords then you can't include common-auth.

And no, that's the way to get pubkey+OTP.

[darima001]

We got answer to our question on libpam. Our solution is the correct one.

Darima

On 19 Mar 2019, at 14:56, Thomas Habets notifications@github.com<mailto:notifications@github.com> wrote:

Closed #124https://github.com/google/google-authenticator-libpam/issues/124.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/google/google-authenticator-libpam/issues/124#event-2213879966, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Arb2QfVNTpAQf7cev7OCeMdvj1kjgfx_ks5vYPqRgaJpZM4boW6r.

[ThomasHabets]

Great!

Sorry for the late reply. I was on vacation.