Combination of SSH key auth, and two-factor authentication

Question

I was wondering if it is possible to accomplish the following, all at the same time:

• Disable root logins
• Enable SSH login for personal user, only via SSH keys
• Enable SSH login for unprivileged user, with password authentication and two-factor authentication only

Using the Match block in sshd_config I was able to set this up so that in general PasswordAuthentication was disabled except for the unprivileged user (lets call it peon). SSH keys were required for logging in to the personal user (who has sudo capabilities).

However, when I try to enable two-factor authentication (pam_google_authenticator) I have to turn on ChallengeResponseAuthentication which seems to not work in a Match block, and is therefore turning password authentication back on for everyone.

Is there a way to accomplish this? I'm not overly great with this type of stuff, so detailed explanations would be really appreciated.

Thanks!

Answer 1

Recent versions of openssh include the AuthenticationMethods option:

Debian backported openssh-6.2 a while back, so I expect this to be available in Raspbian as well.

Specifies the authentication methods that must be successfully completed for a user to be granted access.

You can have the main block of your sshd_config with ChallengeResponseAuthentication enabled:

ChallengeResponseAuthentication yes
PasswordAuthentication no
PermitRootLogin no

and then use AuthenticationMethods in your Match blocks (use Group matching instead of User matching to ease scalabity):

Match Group personal
  AuthenticationMethods publickey

Match Group peon
  PasswordAuthentication yes
  AuthenticationMethods publickey,keyboard-interactive

Aditionally, you can use pam_succeed_if(8) to trigger the two-factor-authentication only if a matching group requires it:

 auth required pam_succeed_if.so quiet user ingroup peon