Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save phryneas/7c2b80e0c931d483bf20 to your computer and use it in GitHub Desktop.
Save phryneas/7c2b80e0c931d483bf20 to your computer and use it in GitHub Desktop.
SSH+PAM+google authentificator: publickey OR password+OTP
# /etc/pam.d/sshd
#add at the beginning of the file before @include common-auth
auth required pam_google_authenticator.so
# at least in deb/untu
sudo apt-get install libpam-google-authenticator
# for each user
google-authenticator
# /etc/ssh/sshd_config
# Contains multiple comma separated lists, each separated by spaces. Auth is okay if one of the lists completely succeeds
# here we allow either pubkey or pam (pam will first invoke pam_google_authenticator.so and then include common-auth, which will ask for a password)
AuthenticationMethods publickey keyboard-interactive:pam
UsePAM yes
# From the man page: Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or ChallengeResponseAuthentication.
ChallengeResponseAuthentication yes
PasswordAuthentication no
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment