Situation:
I have activated Google Authenticator 2FA for SSH logins on Ubuntu 16.04 but made it optional in the /etc/pam.d/sshd:
auth required pam_google_authenticator.so nullok
I have setup the 2FA for accounts which can login from the Internet but not for accounts which are restricted to access from the same subnet because there are cronjobs running which have to transfer stuff from server to server.
This works fantastic for every account except root which is of course restricted to exactly one IP address because production and standby servers have to exchange SSL keys.
Case A: When I try to login with a normal user account with SSH key but without 2FA: no problem.
Case B: When I try to login with root with SSH key but without 2FA I get this error in /var/log/auth.log:
Aug 20 23:39:59 host01 sshd[28638]: fatal: Internal error: PAM auth succeeded when it should have failed
Your help would be very appreciated.