I am using sshd, and allow logins with public key authentication.
I want to allow select users to log in with a PAM two-factor authentication module.
Is there any way I can allow PAM two-factor authentication for a specific user?
By the same token – I only want to enable password authentication for specific accounts. I want my SSH daemon to reject the password authentication attempts to thwart would-be hackers into thinking that I will not accept password authentication – except for the case in which someone knows my heavily guarded secret account, which is password enabled. I want to do this for cases in which my SSH clients will not let me do either secret key, or two-factor authentication.
Best Answer
You could probably handle this with the
pam_listfile
module. Create an/etc/pam.d/sshd
file that looks something like:This would allow only people listed in
/etc/authusers
the ability to authenticate with a two-factor module (in our case, secureid). I haven't actually tested this configuration, but the theory is sound.You could make it simpler by allowing anyone to authenticate using two factor authentication; presumably, only those people with the appropriate devices/configuration would be able to succeed, so you'd get effectively the same behavior.