2

I am trying to add 2FA to sshd using PAM from oathtool package. I want two ways to login to server:

  • publickey and 2FA, or
  • password and 2FA

So far I managed to add 2FA to publickey authentication, but don't know how to join password with 2FA.

My sshd_config (OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014):

AuthenticationMethods publickey,keyboard-interactive:pam password,keyboard-interactive:pam
ChallengeResponseAuthentication yes
PasswordAuthentication yes
UsePAM yes

PAM sshd:

auth required pam_oath.so usersfile=/etc/users.oath window=30

But this config has no sense: when I am trying to login using password+2FA I asked twice for F2A (once as password, second as OATH.

mefju
  • 153
  • 5
  • 1
    If you are trying to implement 2FA with a PAM module, the focus needs to be on your `auth` PAM stack. Please provide the list of modules in order. sshd_config isn't really the focus of this. – Andrew B Apr 12 '14 at 07:37
  • As mefju said, we need to see your pam stack. I have a [howto here](http://www.howtoforge.com/manage-two-factor-authentication-in-your-serverfarm-with-privacyidea), that tells how to use 2FA with yubikey and ssh. It relies on an authentication backend but also gives you an idea of how to configure PAM. – cornelinux Jul 10 '14 at 21:47

0 Answers0