roeme
commented
3 years ago @ThomasHabets IMHO it wouldn't be wrong to close this issue, as it's most likely a peculiarity with the PAM setup that @reppep has described.
Briefly put, combining OpenSSH's pubkey-authentication and ChallengeResponse-style auths in PAM needs some work by the sysadmin, since a successful pubkey-authentication cannot be readily exposed to the PAM stack through the stacking model parameters PAM uses. One needs to "re-inject" SSH_AUTH_INFO_0 a success code as appropriate through a custom module.
It's a finesse/issue that is by no means unique to google-authenticator-libpam.
I found dozens of articles about how to use GA with OpenSSH in RHEL/CentOS, but few that discuss combining GA with public-key auth, and most of those are for RHEL/CentOS 6. The consensus seems to be that /etc/ssh/sshd_config should include:
ChallengeResponseAuthentication yes PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive UsePAM yes
I have tried various flavors of 'auth' lines at top and bottom of /etc/pam.d/sshd, but either I get no GA prompt when I have a key, or I get a password prompt (which doesn't work -- we don't set UNIX passwords) instead of a TOTP prompt.
Please document this configuration.