On 26/01/2021 19:04, Avila, Geoffrey wrote:
We have an ssh login host we've protected with Duo's 2FA pam module. We're allowing both password auth and ssh-keys. Problem is, those users with a valid ssh key are instantly allowed to log in-the pam stack for the duo .so module never gets called, and the users are never prompted for 2FA. Is there a way to compel the execution of PAM modules before OpenSSH completes the login process for the user?
I use the following (with Yubikey PAM module for 2FA): # Policy for authentication: require both pubkey *and* PAM AuthenticationMethods publickey,keyboard-interactive:pam # From local and VPN addresses, 2FA not required Match Address 192.168.0.0/16,10.0.0.0/8 AuthenticationMethods publickey _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
