Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04, but NOT for root user

Question

I followed this nice guide from digitalocean to set up Multi-Factor Authentication for SSH on Ubuntu 16.04 Server (No UI), after this every user on system when the login via ssh system expects additional authentication, if 2fa is setup everything works but if it isn't setup it just fails (article did mention that if I leave nullok in sshd it

Accepted Answer

Based on Dieskim&#8217;s answer above,This is what I did to NOT apply PAM/2fa to root user.in /etc/ssh/sshd_config where I added AuthenticationMethods publickey,password publickey,keyboard-interactive conditionally,UsePAM yes# Apply following rule to everyone (*) but root user (!root)Match user "!root,*"    AuthenticationMethods publickey,password publickey,keyboard-interactiveMatch allI would like to also mention following:Initially even after having auth required pam_google_authenticator.so nullok in /etc/pam.d/sshd root login as not working and the reason behind that was PermitRootLogin in sshd_config was set to prohibit-password, and OpenSSH needs to allow root logins using passwords for PAM auth to work with any sort of password, including OTP.And as I wanted PermitRootLogin to no the above Match user solution above works well.Another thing about auth required pam_google_authenticator.so nullok, here it is thought that nullok means if 2fa is not configured for a user, user will still be allowed to login, but that is not the case with latest versions of libpam-google-authenticator# Standard Un*x password updating.@include common-passwordauth required pam_google_authenticator.so nullokEDIT:Following statement is not true (Removed it from answer above), do not add auth required pam_permit.so in sshd file when you are enabling AuthenticationMethods optionally.it is important to add auth required pam_permit.so as last line to /etc/pam.d/sshdAlso test that any of your user is not able to login with out any credentials.

Advertisement

Answer