Disable PAM module for group
Solution 1
You can use pam_succeed_if
module (see manual page) before the pam_google_authenticator
to skip this part for your group:
# the other authentication methods, such as @include common-auth
auth [success=1 default=ignore] pam_succeed_if.so user ingroup group
auth required pam_google_authenticator ...
Solution 2
Some SFTP clients can handle 2FA. For example, I'm using 2FA with FileZilla and WinSCP and they works. Also I have setup ssh-key authentication and it works alongside of 2FA.
However your question is interesting and I made a short survey. I found this answer.
So, it is possible (and easy) to run separate ssh instances. I'm already tested it.
-
Make separate copies of
sshd_config
file.$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_pwd $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_2fa
-
Edit these new
config
files. One of the things you must change is the shh port. According to the example:2.a)
sshd_config_pwd
specific lines are:Port 1022 ... PasswordAuthentication yes ChallengeResponseAuthentication no UsePAM no
2.b)
sshd_config_2fa
specific lines are:Port 2022 ... PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes
-
Open the necessary ports into the firewall. According to the example:
$ sudo ufw limit 1022 $ sudo ufw limit 2022
-
Run the new ssh instances:
$ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config_pwd $ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config_2fa
That's it.
Related videos on Youtube
Z3r0byte
Updated on September 18, 2022Comments
-
Z3r0byte over 1 year
I recently enabled two-factor-authentication using google-authenticator on my SSH server. However I am now facing a problem:
I have a different group of users on my server which I am using for SFTP, but that group is no longer able to login since 2FA isn't set up for the users in the group. Is it possible to disable the google-authenticator module for that group? Enabling it for the users in the group is not an option because multiple users will be using this account.
PS: I use
openssh-server
-
Abhimanyu Garg almost 6 yearsAnswered in this comment- Hope it helps askubuntu.com/a/1051973/846342
-
-
muru over 7 yearsIt should probably be
[success=1 default=ignore]
instead ofrequired
. Right now, a user not in group will lead to the authentication failing, I think.success=1
will make it skip the next method,default=ignore
will mean users not in group will simply move on to the next method. -
Jakuje over 7 years@muru yes, you are obviously right. Still learning the details and all the magic of the PAM stack :)
-
Jakuje over 7 yearsHow is this answering the question? What you modify in the
sshd_config
to use different PAM stack and not use 2FA? -
pa4080 over 7 years@Jakuje I've updated my answer.
-
Jakuje over 7 yearsOk, so the point is "not using PAM". It might work in some cases, but PAM is not only about authentication, but also setting up session and lot more, therefore it might stop working from day to day. Also changing port is very confusing, especially if you want third party to connect to your server. Though yes, possible solution.
-
pa4080 over 7 yearsYes, it's just a possible solution, which still incomplete, because I don't know elegant way to start these separate ssh instances at system startup.
-
Arj almost 6 yearsIs this dependent on whether you have multiple "AuthenticationMethods" in /etc/ssh/sshd_config ? With the above line added, I still get 'Permission denied (keyboard-interactive)'
-
Jakuje almost 6 years@Arj this means you have different configuration so this specific answere does not apply for you.