I have a small web-facing server on my home network. It is headless, and the only way to log in is to ssh with pubkey authentication from within the local network.
I wanted to turn on a 2FA authentication PAM module for anybody attempting to log in as root. I have disabled root login via ssh, and sudo is not installed, so the only way to perform root actions is to log in as root. My question is, is it sufficient to only enable the 2FA module in /etc/pam.d/su? Could an unprivileged user trigger a root login over ssh without using su?