{Key or TOTP} and password
I'm setting up multi-factor authentication on a Linux box. I have successfully been able to tell the box to accept key-and-password or TOTP-and-password, but I'd like it to allow clients to do either. I was loosely following this guide, but ran into the issue that since both password and TOTP are handled by PAM, I can't essentially just tell ssh to use PAM for one type of auth and do another itself. The only way I can think of to do this is if I could create two "chains"(?), for example /etc/pam.d/sshd-password and /etc/pam.d/sshd-totp and have ssh go through one for password and the other for totp. Does such a mechanism exist? If not, is there another way to accomplish this?
linux ssh openssh pam google-authenticator
asked Jan 15 at 19:36
Duncan X SimpsonDuncan X Simpson
1,105823
add a comment |
I'm setting up multi-factor authentication on a Linux box. I have successfully been able to tell the box to accept key-and-password or TOTP-and-password, but I'd like it to allow clients to do either. I was loosely following this guide, but ran into the issue that since both password and TOTP are handled by PAM, I can't essentially just tell ssh to use PAM for one type of auth and do another itself. The only way I can think of to do this is if I could create two "chains"(?), for example /etc/pam.d/sshd-password and /etc/pam.d/sshd-totp and have ssh go through one for password and the other for totp. Does such a mechanism exist? If not, is there another way to accomplish this?
linux ssh openssh pam google-authenticator
asked Jan 15 at 19:36
Duncan X SimpsonDuncan X Simpson
1,105823
add a comment |
I'm setting up multi-factor authentication on a Linux box. I have successfully been able to tell the box to accept key-and-password or TOTP-and-password, but I'd like it to allow clients to do either. I was loosely following this guide, but ran into the issue that since both password and TOTP are handled by PAM, I can't essentially just tell ssh to use PAM for one type of auth and do another itself. The only way I can think of to do this is if I could create two "chains"(?), for example /etc/pam.d/sshd-password and /etc/pam.d/sshd-totp and have ssh go through one for password and the other for totp. Does such a mechanism exist? If not, is there another way to accomplish this?
linux ssh openssh pam google-authenticator
asked Jan 15 at 19:36
Duncan X SimpsonDuncan X Simpson
1,105823
I'm setting up multi-factor authentication on a Linux box. I have successfully been able to tell the box to accept key-and-password or TOTP-and-password, but I'd like it to allow clients to do either. I was loosely following this guide, but ran into the issue that since both password and TOTP are handled by PAM, I can't essentially just tell ssh to use PAM for one type of auth and do another itself. The only way I can think of to do this is if I could create two "chains"(?), for example /etc/pam.d/sshd-password and /etc/pam.d/sshd-totp and have ssh go through one for password and the other for totp. Does such a mechanism exist? If not, is there another way to accomplish this?
linux ssh openssh pam google-authenticator
linux ssh openssh pam google-authenticator
asked Jan 15 at 19:36
Duncan X SimpsonDuncan X Simpson
1,105823
asked Jan 15 at 19:36
Duncan X SimpsonDuncan X Simpson
1,105823
asked Jan 15 at 19:36
Duncan X SimpsonDuncan X Simpson
1,105823
asked Jan 15 at 19:36
Duncan X SimpsonDuncan X Simpson
1,105823
asked Jan 15 at 19:36
Duncan X SimpsonDuncan X Simpson
1,105823
1,105823
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1394664%2fkey-or-totp-and-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1394664%2fkey-or-totp-and-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
