On Wed, Oct 04 2023 at 10:08:14 AM, jeremy ardley <jeremy.ard...@gmail.com> wrote: > I have set up a server with sshd allowing public key access. I also > set up google authenticator in pam by putting this line at the head of > /etc/pam.d/sshd > > auth required pam_google_authenticator.so > > If I connect to the server without a public key I get the > authenticator prompt and then password prompt. As expected. > > If I connect with a public key I don't get an authenticator or > password prompt. However, I expected an authenticator prompt but not a > password prompt > > As far as I can tell, sshd does all the public key authentication > stuff, and there isn't any documented way for pam to check the result > of the public key other than inspect an environment variable > SSH_AUTH_INFO_0 > > All the docs I've read say pam doesn't do that out of the box. > > Has pam been updated at or before Debian 11 ? If so, where can I > manage its actions?
Perhaps set AuthenticationMethods to publickey,keyboard-interactive in sshd_config? Do read the full description of that parameter in the manpage for other things that might interest you. -- regards, kushal