I have sshd server sshd -V ... OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 ... running on linux/64 with cat sshd_config ... PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication no GSSAPICleanupCredentials no HostbasedAuthentication no RhostsRSAAuthentication no RSAAuthentication no UseLogin no PermitEmptyPasswords no UsePrivilegeSeparation yes ... I can ssh in with pubkey auth. I want to ADD a 2nd factor authentication step; specifically Google Authenticator I installed pam-google-authenticator package. At shell, I exec google-authenticator and create the key I edit vi /etc/pam.d/sshd ... + auth required pam_google_authenticator.so ... and vi /etc/ssh/sshd_config ... - ChallengeResponseAuthentication no + ChallengeResponseAuthentication yes + KbdInteractiveAuthentication yes ... and restart the daemon systemctl restart sshd ... Dec 7 14:05:59 server systemd[1]: Stopping OpenSSH Daemon... Dec 7 14:05:59 server sshd[4821]: Received signal 15; terminating. Dec 7 14:05:59 server systemd[1]: Starting OpenSSH Daemon... Dec 7 14:05:59 server systemd[1]: Started OpenSSH Daemon. Dec 7 14:05:59 server sshd[5112]: Server listening on 127.0.0.1 port 22. Dec 7 14:05:59 server sshd[5112]: Server listening on 10.10.16.92 port 22. ... In the client's ssh_config I added ... Host server.DOMAIN.com User root ChallengeResponseAuthentication yes PreferredAuthentications publickey,keyboard-interactive ForwardX11 yes ForwardX11Trusted yes Compression no ... IIUC, now, when I login from the client to the server, I should ALWAYS be prompted for the Google Authenticator code after a successful pubkey auth. But when I ssh in to the machine, I still get only the pubkey auth -- never get asked for the GA code, and I can login. ssh -v -l root server sshr_server -4v OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 89: Applying options for *.DOMAIN.com debug1: /etc/ssh/ssh_config line 147: Applying options for * debug1: Connecting to server.DOMAIN.com [10.10.16.92] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /etc/ssh/ssh.desktop.rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7 debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client chacha20-poly1305@xxxxxxxxxxx <implicit> none debug1: kex: client->server chacha20-poly1305@xxxxxxxxxxx <implicit> none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ED25519 2f:... debug1: Host 'server.DOMAIN.com' is known and matches the ED25519 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering RSA public key: /etc/ssh/ssh.desktop.rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: Authentication succeeded (publickey). Authenticated to server.DOMAIN.com ([10.10.16.92]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@xxxxxxxxxxx debug1: Entering interactive session. debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending env DISPLAY = :0 I'm not sure where to look for WHY this isn't working. How do I get the 2nd-factor step turned on? config change? add'l packages required? etc? Dan _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev