Linux PAM: SSH key + 2FA (google authenticator) + password - Specify auth requirements per userPublic-Key -or- Password & Google Authenticator for SSH LoginTrying to get SSH with public key (no password) + google authenticator working on Ubuntu 14.04.1PAM, RADIUS, Google Authenticator and Two Factor AuthSSH Authentication using RADIUS + Google AuthenticatorHow to enable Google Authenticator over sshd when already using public key?OpenSSH use (public key or password) + google authenticatorGoogle Authenticator PAM on SSH blocks root login without 2FAGoogle-authenticator with openvpn - AUTH: Received control message: AUTH_FAILEDIs the configuration I want possible? Problems with SSH to Redhat server using google authentication 2faRequire SSH key + Google Authenticator for one account, SSH key only for another

How to deceive the MC

Why was this character made Grand Maester?

Quantum corrections to geometry

Alexandrov's generalization of Cauchy's rigidity theorem

Is keeping the forking link on a true fork necessary (Github/GPL)?

Why do testers need root cause analysis?

Split into three!

Why isn't Tyrion mentioned in 'A song of Ice and Fire'?

Have any humans orbited the Earth in anything other than a prograde orbit?

Why is this integration method not valid?

Toxic, harassing lab environment

Why A=2 and B=1 in the call signs for Spirit and Opportunity?

Moons and messages

To exponential digit growth and beyond!

Knight's Tour on a 7x7 Board starting from D5

What is the limit to a Glyph of Warding's trigger?

Time complexity of an algorithm: Is it important to state the base of the logarithm?

Did significant numbers of Japanese officers escape prosecution during the Tokyo Trials?

What did the 'turbo' button actually do?

Did Game of Thrones end the way that George RR Martin intended?

Could a rotating ring space station have a bolo-like extension?

How to teach an undergraduate course without having taken that course formally before?

Complications of displaced core material?

The disk image is 497GB smaller than the target device



Linux PAM: SSH key + 2FA (google authenticator) + password - Specify auth requirements per user


Public-Key -or- Password & Google Authenticator for SSH LoginTrying to get SSH with public key (no password) + google authenticator working on Ubuntu 14.04.1PAM, RADIUS, Google Authenticator and Two Factor AuthSSH Authentication using RADIUS + Google AuthenticatorHow to enable Google Authenticator over sshd when already using public key?OpenSSH use (public key or password) + google authenticatorGoogle Authenticator PAM on SSH blocks root login without 2FAGoogle-authenticator with openvpn - AUTH: Received control message: AUTH_FAILEDIs the configuration I want possible? Problems with SSH to Redhat server using google authentication 2faRequire SSH key + Google Authenticator for one account, SSH key only for another






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















I have installed and configured PAM on my Ubuntu server which is working correctly. To log in I want to require an SSH Key to be installed, a password to be provided and a valid code from an authenticator app.



The issue that I have is that I would like to add exceptions to these requirements on a per-user basis.



For example, I want to enforce all of these auth methods for my user account, but specify another user (git - for my GitLab installation) to be accessed by SSH key only (no password or 2FA code required) so the push and pull behaviour works.



The only way I have found to get round this at the moment is to set auth required pam_google_authenticator.so nullok in the /etc/pam.d/sshd file, so the 2FA part is optional, as well as commenting out the @include common-auth line. This however means that while the 2FA part works, I am no longer asked for my password on my main account.



I have tried to do the following:



auth [success=1 default=ignore] pam_succeed_if.so user in git
@include common-auth


but this doesnt seem to work.



What do I need to do to enable all of the above auth methods by default, but add exceptions for specific user accounts like git etc?






ubuntu ssh bash pam google-authenticator







share|improve this question




























    0















    I have installed and configured PAM on my Ubuntu server which is working correctly. To log in I want to require an SSH Key to be installed, a password to be provided and a valid code from an authenticator app.



    The issue that I have is that I would like to add exceptions to these requirements on a per-user basis.



    For example, I want to enforce all of these auth methods for my user account, but specify another user (git - for my GitLab installation) to be accessed by SSH key only (no password or 2FA code required) so the push and pull behaviour works.



    The only way I have found to get round this at the moment is to set auth required pam_google_authenticator.so nullok in the /etc/pam.d/sshd file, so the 2FA part is optional, as well as commenting out the @include common-auth line. This however means that while the 2FA part works, I am no longer asked for my password on my main account.



    I have tried to do the following:



    auth [success=1 default=ignore] pam_succeed_if.so user in git
    @include common-auth


    but this doesnt seem to work.



    What do I need to do to enable all of the above auth methods by default, but add exceptions for specific user accounts like git etc?






    ubuntu ssh bash pam google-authenticator







    share|improve this question
























      0












      0








      0








      I have installed and configured PAM on my Ubuntu server which is working correctly. To log in I want to require an SSH Key to be installed, a password to be provided and a valid code from an authenticator app.



      The issue that I have is that I would like to add exceptions to these requirements on a per-user basis.



      For example, I want to enforce all of these auth methods for my user account, but specify another user (git - for my GitLab installation) to be accessed by SSH key only (no password or 2FA code required) so the push and pull behaviour works.



      The only way I have found to get round this at the moment is to set auth required pam_google_authenticator.so nullok in the /etc/pam.d/sshd file, so the 2FA part is optional, as well as commenting out the @include common-auth line. This however means that while the 2FA part works, I am no longer asked for my password on my main account.



      I have tried to do the following:



      auth [success=1 default=ignore] pam_succeed_if.so user in git
      @include common-auth


      but this doesnt seem to work.



      What do I need to do to enable all of the above auth methods by default, but add exceptions for specific user accounts like git etc?






      ubuntu ssh bash pam google-authenticator







      share|improve this question














      I have installed and configured PAM on my Ubuntu server which is working correctly. To log in I want to require an SSH Key to be installed, a password to be provided and a valid code from an authenticator app.



      The issue that I have is that I would like to add exceptions to these requirements on a per-user basis.



      For example, I want to enforce all of these auth methods for my user account, but specify another user (git - for my GitLab installation) to be accessed by SSH key only (no password or 2FA code required) so the push and pull behaviour works.



      The only way I have found to get round this at the moment is to set auth required pam_google_authenticator.so nullok in the /etc/pam.d/sshd file, so the 2FA part is optional, as well as commenting out the @include common-auth line. This however means that while the 2FA part works, I am no longer asked for my password on my main account.



      I have tried to do the following:



      auth [success=1 default=ignore] pam_succeed_if.so user in git
      @include common-auth


      but this doesnt seem to work.



      What do I need to do to enable all of the above auth methods by default, but add exceptions for specific user accounts like git etc?






      ubuntu ssh bash pam google-authenticator




      ubuntu ssh bash pam google-authenticator






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked May 9 at 7:27









      Ben TurnerBen Turner

      1063




      1063




















          1 Answer
          1






          active

          oldest

          votes


















          0














          Let's break down these requirements a bit.



          Configuring SSH



          First, in order to require public keys and password to provide, you need to modify your /etc/ssh/sshd_config by adding this line:



          AuthenticationMethods publickey,keyboard-interactive


          This way, everyone must have a public key, and must be able to provide their password upon login.



          To make exceptions, use the Match block. For example, let's assume that users who aren't restricted are in the come-as-please group. Then add these line to the end of the sshd_config file:



          Match Group come-as-please
           AuthenticationMethods publickey keyboard-interactive


          Note the absence of the comma, which means that members of the group may use either public key, or keyboard-interactive (password) authentication.



          Configuring google-authenticator



          To use google authenticator module, you meed to modify the /etc/pam.d/sshd file. After the



          @include common-auth


          line, add this one:



          auth required pam_google_authenticator.so nullok


          Also, in order to enable two-factor authentication, you need to modify your /etc/ssh/sshd_config file, adding this line:



          ChallengeResponseAuthentication yes


          After this, restart the SSH daemon.



          Setting user access



          After the above modifications, you have the following access settings:



          • Every user must have a public key installed, and must supply a password.

          • If there is a .google_authenticator file in the user's home directory, then they must supply the corresponding authenticator code as well.

          • Anyone who is member of the come-as-please group:

            • If they have a public key installed, they do not need to supply a password or the authenticator code, whether they have the .google_authenticator file in their home or not,

            • If they don't have a public key installed, they need to specify a password. They need to supply the authenticator code if the .google_authenticator file exists in their home directory.






          share|improve this answer























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "2"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966516%2flinux-pam-ssh-key-2fa-google-authenticator-password-specify-auth-requir%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Let's break down these requirements a bit.



            Configuring SSH



            First, in order to require public keys and password to provide, you need to modify your /etc/ssh/sshd_config by adding this line:



            AuthenticationMethods publickey,keyboard-interactive


            This way, everyone must have a public key, and must be able to provide their password upon login.



            To make exceptions, use the Match block. For example, let's assume that users who aren't restricted are in the come-as-please group. Then add these line to the end of the sshd_config file:



            Match Group come-as-please
             AuthenticationMethods publickey keyboard-interactive


            Note the absence of the comma, which means that members of the group may use either public key, or keyboard-interactive (password) authentication.



            Configuring google-authenticator



            To use google authenticator module, you meed to modify the /etc/pam.d/sshd file. After the



            @include common-auth


            line, add this one:



            auth required pam_google_authenticator.so nullok


            Also, in order to enable two-factor authentication, you need to modify your /etc/ssh/sshd_config file, adding this line:



            ChallengeResponseAuthentication yes


            After this, restart the SSH daemon.



            Setting user access



            After the above modifications, you have the following access settings:



            • Every user must have a public key installed, and must supply a password.

            • If there is a .google_authenticator file in the user's home directory, then they must supply the corresponding authenticator code as well.

            • Anyone who is member of the come-as-please group:

              • If they have a public key installed, they do not need to supply a password or the authenticator code, whether they have the .google_authenticator file in their home or not,

              • If they don't have a public key installed, they need to specify a password. They need to supply the authenticator code if the .google_authenticator file exists in their home directory.






            share|improve this answer



























              0














              Let's break down these requirements a bit.



              Configuring SSH



              First, in order to require public keys and password to provide, you need to modify your /etc/ssh/sshd_config by adding this line:



              AuthenticationMethods publickey,keyboard-interactive


              This way, everyone must have a public key, and must be able to provide their password upon login.



              To make exceptions, use the Match block. For example, let's assume that users who aren't restricted are in the come-as-please group. Then add these line to the end of the sshd_config file:



              Match Group come-as-please
               AuthenticationMethods publickey keyboard-interactive


              Note the absence of the comma, which means that members of the group may use either public key, or keyboard-interactive (password) authentication.



              Configuring google-authenticator



              To use google authenticator module, you meed to modify the /etc/pam.d/sshd file. After the



              @include common-auth


              line, add this one:



              auth required pam_google_authenticator.so nullok


              Also, in order to enable two-factor authentication, you need to modify your /etc/ssh/sshd_config file, adding this line:



              ChallengeResponseAuthentication yes


              After this, restart the SSH daemon.



              Setting user access



              After the above modifications, you have the following access settings:



              • Every user must have a public key installed, and must supply a password.

              • If there is a .google_authenticator file in the user's home directory, then they must supply the corresponding authenticator code as well.

              • Anyone who is member of the come-as-please group:

                • If they have a public key installed, they do not need to supply a password or the authenticator code, whether they have the .google_authenticator file in their home or not,

                • If they don't have a public key installed, they need to specify a password. They need to supply the authenticator code if the .google_authenticator file exists in their home directory.






              share|improve this answer

























                0












                0








                0







                Let's break down these requirements a bit.



                Configuring SSH



                First, in order to require public keys and password to provide, you need to modify your /etc/ssh/sshd_config by adding this line:



                AuthenticationMethods publickey,keyboard-interactive


                This way, everyone must have a public key, and must be able to provide their password upon login.



                To make exceptions, use the Match block. For example, let's assume that users who aren't restricted are in the come-as-please group. Then add these line to the end of the sshd_config file:



                Match Group come-as-please
                 AuthenticationMethods publickey keyboard-interactive


                Note the absence of the comma, which means that members of the group may use either public key, or keyboard-interactive (password) authentication.



                Configuring google-authenticator



                To use google authenticator module, you meed to modify the /etc/pam.d/sshd file. After the



                @include common-auth


                line, add this one:



                auth required pam_google_authenticator.so nullok


                Also, in order to enable two-factor authentication, you need to modify your /etc/ssh/sshd_config file, adding this line:



                ChallengeResponseAuthentication yes


                After this, restart the SSH daemon.



                Setting user access



                After the above modifications, you have the following access settings:



                • Every user must have a public key installed, and must supply a password.

                • If there is a .google_authenticator file in the user's home directory, then they must supply the corresponding authenticator code as well.

                • Anyone who is member of the come-as-please group:

                  • If they have a public key installed, they do not need to supply a password or the authenticator code, whether they have the .google_authenticator file in their home or not,

                  • If they don't have a public key installed, they need to specify a password. They need to supply the authenticator code if the .google_authenticator file exists in their home directory.






                share|improve this answer













                Let's break down these requirements a bit.



                Configuring SSH



                First, in order to require public keys and password to provide, you need to modify your /etc/ssh/sshd_config by adding this line:



                AuthenticationMethods publickey,keyboard-interactive


                This way, everyone must have a public key, and must be able to provide their password upon login.



                To make exceptions, use the Match block. For example, let's assume that users who aren't restricted are in the come-as-please group. Then add these line to the end of the sshd_config file:



                Match Group come-as-please
                 AuthenticationMethods publickey keyboard-interactive


                Note the absence of the comma, which means that members of the group may use either public key, or keyboard-interactive (password) authentication.



                Configuring google-authenticator



                To use google authenticator module, you meed to modify the /etc/pam.d/sshd file. After the



                @include common-auth


                line, add this one:



                auth required pam_google_authenticator.so nullok


                Also, in order to enable two-factor authentication, you need to modify your /etc/ssh/sshd_config file, adding this line:



                ChallengeResponseAuthentication yes


                After this, restart the SSH daemon.



                Setting user access



                After the above modifications, you have the following access settings:



                • Every user must have a public key installed, and must supply a password.

                • If there is a .google_authenticator file in the user's home directory, then they must supply the corresponding authenticator code as well.

                • Anyone who is member of the come-as-please group:

                  • If they have a public key installed, they do not need to supply a password or the authenticator code, whether they have the .google_authenticator file in their home or not,

                  • If they don't have a public key installed, they need to specify a password. They need to supply the authenticator code if the .google_authenticator file exists in their home directory.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered May 9 at 10:33









                LacekLacek

                2,2481116




                2,2481116



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f966516%2flinux-pam-ssh-key-2fa-google-authenticator-password-specify-auth-requir%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

                    Image
                    centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
                    Read more

                    Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

                    Image
                    AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
                    Read more

                    What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

                    Image
                    When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
                    Read more