openssh unix dev - Jan 2021 - pam_duo 2FA && ssh-key access

Hi All,

Question that has been bugging me for awhile...

We have an ssh login host we've protected with Duo's 2FA pam module.
We're
allowing both password auth and ssh-keys. Problem is, those users with a
valid ssh key are instantly allowed to log in-the pam stack for the duo .so
module never gets called, and the users are never prompted for 2FA.
Is there a way to compel the execution of PAM modules before OpenSSH
completes the login process for the user? This is OpenSSH 7.4p1 on a RHEL
7.9 system btw....

Thanks a bunch!

-Jeff

On 26/01/2021 19:04, Avila, Geoffrey wrote:
> We have an ssh login host we've protected with Duo's 2FA pam
module. We're
> allowing both password auth and ssh-keys. Problem is, those users with a
> valid ssh key are instantly allowed to log in-the pam stack for the duo .so
> module never gets called, and the users are never prompted for 2FA.
> Is there a way to compel the execution of PAM modules before OpenSSH
> completes the login process for the user?
I use the following (with Yubikey PAM module for 2FA):

# Policy for authentication: require both pubkey *and* PAM
AuthenticationMethods publickey,keyboard-interactive:pam

# From local and VPN addresses, 2FA not required
Match Address 192.168.0.0/16,10.0.0.0/8
AuthenticationMethods publickey