search

google / google-authenticator-libpam

Apache License 2.0
1.77k stars 281 forks source link

Using multiple authentication methods with 2FA #134

Closed Danixu closed 5 years ago

Danixu commented 5 years ago

Hello, first, sorry for my english

I'm trying to add 2 factor authentication to one server but keeping original behaviour plus Google Authenticator, but I'm unable to archieve it.

What I want is allow to access using password+GAuth, and publickey+GAuth both together. But the most I've got is just password+GAuth or publickey+GAuth but not both at same time.

I've followed the configuration steps with an AuthenticationMethods line like this; AuthenticationMethods password,keyboard-interactive:pam publickey,keyboard-interactive:pam

Is there any way to ask to GAuth code when public key is used, and also when password is used?.

Thanks!!

davama commented 5 years ago

In sshd_config file

AuthenticationMethods publickey,keyboard-interactive

Forces
public key+password + GA

Danixu commented 5 years ago

Hello,

Thanks for your response, but is not exactly what I want (surely my mistake explaining the problem). What I want is one or another:

and the closest configuration I've done was the latest, where I've got password + GA, but public key enter without asking for GA.

Thanks!!

ThomasHabets commented 5 years ago

I'm not aware of this being possible. It would be if OpenSSH sets an environment variable or something for pam_get_item to retrieve.

But I'd say even if that were the case the right thing is to have a dedicated module that essentially does "if pubkey was provided, then return PAM_SUCCESS" and then have PAM config interpret PAM_SUCCESS for that module as "skip pam_unix.so".

So this is out of scope of this project, if it's even possible without patching OpenSSH's PAM code.