Hello all, I'm trying to get a properly working MFA solution working with our ssh servers. I have it working wonderfully well with duo until ssh keys are added to the mix. As I understand it, using keys results in the PAM stack not getting called and thus something like pam_duo never get's a chance to work in that scenario. I'm aware that I can use something like "ForceCommand /usr/sbin/login_duo" but that results in two requests unless it is removed from PAM beforehand which is not ideal as there are other services that also benefit from having MFA present in the PAM stack. Using ForceCommand like this is also dubious as users can still put whatever they like in their shell rc files. Is there a better way to properly integrate MFA into the login process when ssh keys are used? Thanks in advance. -- Rikki
On 15/11/2024 15:48, Richard Allen via openssh-unix-dev wrote:> As I understand it, using keys results in the PAM stack not getting > called and thus something like pam_duo never get's a chance to work in > that scenario.No, it depends on how you configure sshd. You can require both ssh key auth and PAM auth: |AuthenticationMethods publickey,keyboard-interactive:pam| (Note that the methods must be comma-separated, not space-separated, to require both). I don't know about integrating with Duo, but I've it with TOTP from Vault: https://github.com/candlerb/vault-totp-helper