pam auth with ssh public key

[jeremy ardley]

I have set up a server with sshd allowing public key access. I also set
up google authenticator in pam by putting this line at the head of
/etc/pam.d/sshd

auth required pam_google_authenticator.so

If I connect to the server without a public key I get the authenticator
prompt and then password prompt. As expected.

If I connect with a public key I don't get an authenticator or password
prompt. However, I expected an authenticator prompt but not a password
prompt

As far as I can tell, sshd does all the public key authentication stuff,
and there isn't any documented way for pam to check the result of the
public key other than inspect an environment variable SSH_AUTH_INFO_0

All the docs I've read say pam doesn't do that out of the box.

Has pam been updated at or before Debian 11 ? If so, where can I manage
its actions?

[Kushal Kumaran]

Perhaps set AuthenticationMethods to publickey,keyboard-interactive in
sshd_config? Do read the full description of that parameter in the
manpage for other things that might interest you.

--
regards,
kushal

[jeremy ardley]

On 4/10/23 11:12, Kushal Kumaran wrote:
> Perhaps set AuthenticationMethods to publickey,keyboard-interactive in
> sshd_config? Do read the full description of that parameter in the
> manpage for other things that might interest you.

I finally managed to get my desired public key and google authenticator
combo

edit /etc/pam.d/sshd and comment out comon-auth

|# @include common-auth in /etc/ssh/sshd_config UsePAM yes ||ChallengeResponseAuthentication yes ||PasswordAuthentication no AuthenticationMethods
publickey,keyboard-interactive |||||