Dear Darren, James, > 1) Use the per-auth-type PAM configs as per > https://bugzilla.mindrot.org/show_bug.cgi?id=2246. > 2) Configure the ssh-passwd stack to have just pam_unix.so and the > ssh-kbdint stack to have just pam_signal.so. > 3) Put "AuthenticationMethods password,keyboard-interactive > publickey,keyboard-interactive" into sshd_config. > > sshd should offer you either of publickey or password first then > proceed to keyboard-interactive. One downside of such an approach is that "password", as far as I understand, has less feature than "keyboard-interactive:pam". For example, it does not support "password change": if you are want to be able to force your users to change their password on the next successful logins, that won't work with "password". > OR (and this one is fuzzier) What do you mean by "fuzzier"? It looks simpler to me ;) Full disclosure: I'm one of the author of that patch > a) Use "expose authentication information to PAM" as per > https://bugzilla.mindrot.org/show_bug.cgi?id=2408 > b) Put "AuthenticationMethods "publickey,keyboard-interactive > keyboard-interactive" in sshd_config > c) Put both pam_unix.so and pam_signal.so in the PAM config and have > it somehow check for the indication that pubkey has been successful > and if found, skip pam_unix somehow. I don't know of a way to do that > offhand though. You need a small pam module for that, for example https://github.com/CERN-CERT/pam_2fa/blob/master/pam_ssh_user_auth.c For more details on how to use that patch: https://cern-cert.github.io/pam_2fa/#using-a-smart-pam-configuration (The rest of that page explains why we think we need that patch) A small additional benefit of that patch is that pam will have more information on what made the first factor succeed and can be then used to learn "who connected as root" (shared account) and match this information to the corresponding 2nd factor (valid for that particular account and not simply any user allowed to login with that account). Cheers, Vincent
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
