Re: pam_duo 2FA && ssh-key access

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 29/01/2021 20:40, Avila, Geoffrey wrote:
I understand from the reading of the manpage that there is no
"publickey:pam" string that would allow for just a 2FA prompt if a valid
public key was presented?

I'm sorry, but I don't understand what you're asking.  The config you have asks for a public key auth first, and then asks for a PAM auth, and lets the user in if both succeed.  What do you want to happen instead?

I'm a little unclear as to why "password' and "keyboard-interactive" are
seen as two distinct authentication methods...

Because they are two different authentication mechanisms in the SSH protocol itself (RFC 4252, RFC 4256).

As I understand it, password is just a password, whereas keyboard-interactive allows for prompt-response-prompt-response-... (so for example, can be used for challenge-response tokens).  The PAM API also works works in a prompt-response manner, via the conversation function <http://www.linux-pam.org/Linux-PAM-html/mwg-expected-by-module-item.html#mwg-pam_conv>.

Regards,

Brian.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux