I'm using Ubuntu 14.04.1 (with OpenSSH 6.6 and libpam-google-authenticator 20130529-2).
I'm trying to set up SSH logins where the public key authenticates (without a password) and a user is prompted for a code from Google's Authenticator.
Following/adapting these instructions has gotten me a password prompt as well as a Google Auth prompt:
- https://scottlinux.com/2013/06/02/use-google-authenticator-for-two-factor-ssh-authentication-in-linux/
- http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/
- https://wiki.archlinux.org/index.php/Google_Authenticator and https://wiki.archlinux.org/index.php/SSH_keys#Two-factor_authentication_and_public_keys
- https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication
I've installed the package, edited my /etc/ssh/sshd_config
and /etc/pam.d/ssh
files
In /etc/ssh/sshd_config
:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
and at the bottom of /etc/pam.d/ssh
:
auth required pam_google_authenticator.so nullok # (I want to give everyone a chance to set up their 2FA before removing "nullok")
I know PAM is order dependent, but is sshd_config
also?
What am I doing wrong? Any help would be appreciated.