Last active
February 25, 2023 06:31
-
-
Save phryneas/7c2b80e0c931d483bf20 to your computer and use it in GitHub Desktop.
SSH+PAM+google authentificator: publickey OR password+OTP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/pam.d/sshd | |
| #add at the beginning of the file before @include common-auth | |
| auth required pam_google_authenticator.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # at least in deb/untu | |
| sudo apt-get install libpam-google-authenticator | |
| # for each user | |
| google-authenticator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/ssh/sshd_config | |
| # Contains multiple comma separated lists, each separated by spaces. Auth is okay if one of the lists completely succeeds | |
| # here we allow either pubkey or pam (pam will first invoke pam_google_authenticator.so and then include common-auth, which will ask for a password) | |
| AuthenticationMethods publickey keyboard-interactive:pam | |
| UsePAM yes | |
| # From the man page: Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or ChallengeResponseAuthentication. | |
| ChallengeResponseAuthentication yes | |
| PasswordAuthentication no |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment