Linux – sshd: How to enable PAM authentication for specific users under

linuxpamssh

I am using sshd, and allow logins with public key authentication.

I want to allow select users to log in with a PAM two-factor authentication module.

Is there any way I can allow PAM two-factor authentication for a specific user?

By the same token – I only want to enable password authentication for specific accounts. I want my SSH daemon to reject the password authentication attempts to thwart would-be hackers into thinking that I will not accept password authentication – except for the case in which someone knows my heavily guarded secret account, which is password enabled. I want to do this for cases in which my SSH clients will not let me do either secret key, or two-factor authentication.

Best Answer

You could probably handle this with the pam_listfile module. Create an /etc/pam.d/sshd file that looks something like:

auth requisite  pam_listfile.so item=user sense=allow file=/etc/authusers
auth sufficient pam_securid.so
auth required   pam_deny.so

This would allow only people listed in /etc/authusers the ability to authenticate with a two-factor module (in our case, secureid). I haven't actually tested this configuration, but the theory is sound.

You could make it simpler by allowing anyone to authenticate using two factor authentication; presumably, only those people with the appropriate devices/configuration would be able to succeed, so you'd get effectively the same behavior.

Best Answer

Related Solutions

SSHD – blocking password authentication

Linux – ssh still accepts password authentication despite being configured for public-key only authentication (which works!)

Related Topic