Disable PAM module for group

ssh users authentication pam groups

6,305

Solution 1

You can use pam_succeed_if module (see manual page) before the pam_google_authenticator to skip this part for your group:

# the other authentication methods, such as @include common-auth
auth [success=1 default=ignore] pam_succeed_if.so user ingroup group
auth required pam_google_authenticator ...

Solution 2

Some SFTP clients can handle 2FA. For example, I'm using 2FA with FileZilla and WinSCP and they works. Also I have setup ssh-key authentication and it works alongside of 2FA.

However your question is interesting and I made a short survey. I found this answer.

So, it is possible (and easy) to run separate ssh instances. I'm already tested it.

Make separate copies of sshd_config file.

$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_pwd
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_2fa

Edit these new config files. One of the things you must change is the shh port. According to the example:

2.a) sshd_config_pwd specific lines are:
```
Port 1022
...
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM no
```
2.b) sshd_config_2fa specific lines are:
```
Port 2022
...
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
```
Open the necessary ports into the firewall. According to the example:
```
$ sudo ufw limit 1022
$ sudo ufw limit 2022
```

Run the new ssh instances:

$ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config_pwd
$ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config_2fa

That's it.

6,305

Z3r0byte

Updated on September 18, 2022

Comments

Z3r0byte over 1 year

I recently enabled two-factor-authentication using google-authenticator on my SSH server. However I am now facing a problem:

I have a different group of users on my server which I am using for SFTP, but that group is no longer able to login since 2FA isn't set up for the users in the group. Is it possible to disable the google-authenticator module for that group? Enabling it for the users in the group is not an option because multiple users will be using this account.

PS: I use openssh-server
- Abhimanyu Garg almost 6 years
  
  Answered in this comment- Hope it helps askubuntu.com/a/1051973/846342
muru over 7 years

It should probably be [success=1 default=ignore] instead of required. Right now, a user not in group will lead to the authentication failing, I think. success=1 will make it skip the next method, default=ignore will mean users not in group will simply move on to the next method.
Jakuje over 7 years

@muru yes, you are obviously right. Still learning the details and all the magic of the PAM stack :)
Jakuje over 7 years

How is this answering the question? What you modify in the sshd_config to use different PAM stack and not use 2FA?
pa4080 over 7 years

@Jakuje I've updated my answer.
Jakuje over 7 years

Ok, so the point is "not using PAM". It might work in some cases, but PAM is not only about authentication, but also setting up session and lot more, therefore it might stop working from day to day. Also changing port is very confusing, especially if you want third party to connect to your server. Though yes, possible solution.
pa4080 over 7 years

Yes, it's just a possible solution, which still incomplete, because I don't know elegant way to start these separate ssh instances at system startup.
Arj almost 6 years

Is this dependent on whether you have multiple "AuthenticationMethods" in /etc/ssh/sshd_config ? With the above line added, I still get 'Permission denied (keyboard-interactive)'
Jakuje almost 6 years

@Arj this means you have different configuration so this specific answere does not apply for you.