Adds sshd config for keyboard-interactive pam device #156
Conversation
- Adds configuration option for public key authentication with 2FA input from a PAM device such as a Yubikey. This will allow keyboard interaction from the _device only_. See the documentation on AuthenticationMethods [here](https://www.freebsd.org/cgi/man.cgi?sshd_config(5)).
|
|
||
| # Force public key auth then ask for pam device input | ||
| {% if ssh_pam_device %} | ||
| AuthenticationMethods publickey,keyboard-interactive:pam |
There was a problem hiding this comment.
We have almost the same configuration on lines 96-98, except for the :pam-part. What's the difference between these two? Are both needed?
There was a problem hiding this comment.
@rndmh3ro the added :pam option only allows authentication from the PAM (yubikey) device itself. From the sshd docs:
For keyboard interactive authentication it is also possible to
restrict authentication to a specific device by appending a colon
followed by the device identifier ``bsdauth'', ``pam'', or
``skey'', depending on the server configuration. For example,
``keyboard-interactive:bsdauth'' would restrict keyboard interac-
tive authentication to the ``bsdauth'' device.
(Sorry for the crappy formatting). Source: https://www.freebsd.org/cgi/man.cgi?query=sshd_config&sektion=5.
Regarding ChallengeResponseAuthentication and UsePam, this is the mechanism that prompts a challenge response via the PAM interface. The excepted "2FA" outcome is as follows.
- Authenticate via ssh public key first.
- Prompt a challenge response from PAM device (Yubikey).
The user will be prompted as follows:
YubiKey for `foouser':
|
Hey @rcII, Thanks for your PR! I never used a Yubikey with 2FA and sshd, so my knowledge here is limited.. Hope you can answer my comments. EDIT: What I want from a variable like |
2 participants
from a PAM device such as a Yubikey. This will allow keyboard
interaction from the device only. See the documentation on
AuthenticationMethods
here.