On 29/01/2021 20:40, Avila, Geoffrey wrote:
I understand from the reading of the manpage that there is no "publickey:pam" string that would allow for just a 2FA prompt if a valid public key was presented?
I'm sorry, but I don't understand what you're asking. The config you have asks for a public key auth first, and then asks for a PAM auth, and lets the user in if both succeed. What do you want to happen instead?
I'm a little unclear as to why "password' and "keyboard-interactive" are seen as two distinct authentication methods...
Because they are two different authentication mechanisms in the SSH protocol itself (RFC 4252, RFC 4256).
As I understand it, password is just a password, whereas keyboard-interactive allows for prompt-response-prompt-response-... (so for example, can be used for challenge-response tokens). The PAM API also works works in a prompt-response manner, via the conversation function <http://www.linux-pam.org/Linux-PAM-html/mwg-expected-by-module-item.html#mwg-pam_conv>.
Regards, Brian. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
