I've followed various guides on how to set up Google Authenticator with Linux and they all seem to ignore the issue that a user needs to be able to login first without MFA once to be able to set it up.
My goal is:
-to have a failsafe account which doesn't require MFA in case google authenticator stops working on the machine
-to be able to add users and have them authenticate with their ssh key and force them to setup MFA
I can achieve the first goal by using "Match User" in sshd_config, however I can't seem to get the second option to work.
The relevant lines in my /etc/pam.d/sshd are:
Code: Select all
auth required pam_sepermit.so
#auth substack password-auth
...
auth required pam_google_authenticator.so nullok
Code: Select all
#PasswordAuthentication yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Match User failsafe-user
AuthenticationMethods publickey