3

I am trying to setup an SSH server where some users prefer to use an SSH key but others prefer LDAP provided passwords.

I found out that I can set in sshd_config for publickey + PAM or PAM only authentication.

AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam

The PAM part works as expected. User enters their LDAP password and they are asked a verification code.

However publickey authentication works so that user uses key + then asked to enter LDAP password + then enter verification code. (we do not want key users to also be asked for password)

Is it possible to support key users so they do not need to enter their password while 2FA verification code is still asked. Meanwhile people who does not provide a key, still can use passwords for authentication and also asked for 2FA verification code?

Note: We want to have a single SSH server process running in the system. We prefer not to use a solution like running multiple SSH servers on different ports.

Thanks!

yurtesen
  • 538
  • 4
  • 9

1 Answers1

1

I think this RedHat article might be of use to you. Looks like you would be able to do the following in sshd_config:

In order to set default login to LDAP password + TOTP.

AuthenticationMethods publickey,keyboard-interactive

And then to set publickey + TOTP per user.

Match user <username>

           AuthenticationMethods publickey,keyboard-interactive

Setting up multi-factor authentication on Linux systems

TimLovesTech
  • 11
  • 3
  • This configuration will allow authentication with SSH key but then will ask user password and then the verification code. – yurtesen Dec 04 '20 at 09:10
  • @yurtesen Are you sure, did we try that latter approach? I get the idea that we would have to configure (per user) whether to use password or key-basd auth. It's not super-pretty but it _could_ work if we can't make it work in any other way... – Per Lundberg Dec 15 '20 at 14:08
  • @PerLundberg first of all if you check, he has same methods for all and per user config. But more importantly `publickey` authentication does NOT support 2FA. At the same time you can only have 1 type of keyboard-interactive. You can have password, password+totp or totp only based on PAM configuration.If you set keyboard-interactive to use only TOTP, then people can login only with TOTP passwords but they can't login using normal passwords anymore. Try on your Linux machine :) – yurtesen Dec 15 '20 at 15:31
  • Thanks @yurtesen. Yes, I will play around with this a bit more at some point to see if I can find a solution. – Per Lundberg Dec 17 '20 at 08:05