Allow Users to Auth with key then require MFA

Support for security such as Firewalls and securing linux
Post Reply
jeremyhagan
Posts: 8
Joined: 2015/12/08 04:16:30

Allow Users to Auth with key then require MFA

Post by jeremyhagan » 2019/01/08 01:39:31

Hello all,

I've followed various guides on how to set up Google Authenticator with Linux and they all seem to ignore the issue that a user needs to be able to login first without MFA once to be able to set it up.

My goal is:
-to have a failsafe account which doesn't require MFA in case google authenticator stops working on the machine
-to be able to add users and have them authenticate with their ssh key and force them to setup MFA

I can achieve the first goal by using "Match User" in sshd_config, however I can't seem to get the second option to work.
The relevant lines in my /etc/pam.d/sshd are:

Code: Select all

auth       required     pam_sepermit.so
#auth       substack     password-auth
...
auth required pam_google_authenticator.so nullok
and my cat /etc/ssh/sshd_config has the following lines:

Code: Select all

#PasswordAuthentication yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Match User failsafe-user
       AuthenticationMethods publickey
I was under the misapprehension that having "nullok" on the end would mean that users that didn't have google-authenticator setup would return a positive result for keyboard-interactive, but this doesn't seem to be the case. Is there some config which will allow users to authenticate with just publickey if they don't have google-authenticator set up and still prompt them for the verification code if they do?

Post Reply