On Tue, Jan 26, 2021 at 2:52 PM Brian Candler <b.candler at pobox.com>
wrote:>
> On 26/01/2021 19:04, Avila, Geoffrey wrote:
> > We have an ssh login host we've protected with Duo's 2FA pam
module. We're
> > allowing both password auth and ssh-keys. Problem is, those users with
a
> > valid ssh key are instantly allowed to log in-the pam stack for the
duo .so
> > module never gets called, and the users are never prompted for 2FA.
> > Is there a way to compel the execution of PAM modules before OpenSSH
> > completes the login process for the user?
>
> I use the following (with Yubikey PAM module for 2FA):
>
> # Policy for authentication: require both pubkey *and* PAM
> AuthenticationMethods publickey,keyboard-interactive:pam
>
I've always thought the comma meant "if this does not work, try
this next"
> # From local and VPN addresses, 2FA not required
> Match Address 192.168.0.0/16,10.0.0.0/8
> AuthenticationMethods publickey
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev