We use Google Authenticator for 2FA SSH logins. It's configured in /etc/pam.d/sshd as follows:
@include common-password
auth required pam_google_authenticator.so nullok
As you may know, OpenSSH 8.2 comes with U2F keys support. We'd like to use U2F in the following manner:
- If user authenticates with U2F-enabled key, let them in without asking for Google Authenticator code.
- If user authenticates with a simple key, ask for Authenticator code.
How do I achieve that? U2F keys are of the specific type (note the -SK suffix):
$ ssh-keygen -l -f ~/.ssh/id_ecdsa_sk.pub
256 SHA256:8+ktnvXXshnIek7fEffbEQUhFvwZXOfahSHRagxcdbc pypt@NN (ECDSA-SK)
so maybe there's a way to configure PAM to allow in only specific key types?
