When sshd is set to UsePAM, password authentication will use the PrivacyIdea pam module as well as the regular password authentication in a regular prompt without the custom text of the pam module. Forcing one mode instead of both would allow sshd to use 2 authentications like password,keyboard-interactive or publickey,keyboard-interactive and prompt for 2fa only during the keyboard-interactive phase and return PAM_AUTHINFO_UNAVAIL during keyboard phase.
In the common-auth configuration file, this would look like this:
When sshd is set to
UsePAM
, password authentication will use the PrivacyIdea pam module as well as the regular password authentication in a regular prompt without the custom text of the pam module. Forcing one mode instead of both would allow sshd to use 2 authentications likepassword,keyboard-interactive
orpublickey,keyboard-interactive
and prompt for 2fa only during the keyboard-interactive phase and returnPAM_AUTHINFO_UNAVAIL
during keyboard phase.In the
common-auth
configuration file, this would look like this:This is inspired by the article : https://sudonull.com/post/73132-Experience-implementing-2fa-on-linux-with-duosecurity-QIWI-Blog in which the person inspects the response to get the difference between both modes.