I'm trying to configure sshd on a VPS instance, and would like to have an authentication witch is publickey,keyboard-interactive (public key AND keyboard-interactive).
The problem is that the server keeps asking for serveruser password on login after the public key was sent and accepted. It should only ask for the 2FA code.
I am able to login using publickey, serveruser password and 2FA code.
I have two other similar setups that work great but I remember having trouble setting those up, like using black magic in bizarre configuration files.
I spent countless hours trying to configure sshd this way on other hosts and now I don't seem to achieve it.
I also tried to compare client and server logs on a working setup and this one but the logs are the same! (Except with IPs, ports and fingerprints)
SSH client log : https://pastebin.com/P1xsKTwm
Server's /etc/ssh/sshd_config : https://pastebin.com/qSH7GAmR
Server's /etc/pam.d/sshd : https://pastebin.com/YBKY91Rk
(sshd was restarted using sudo systemctl restart sshd.service
)
EDIT : keyboard-interactive is not only for 2FA
Read the comments in mforsetti's answer below, I did not understood that keyboard-interactive was not for 2FA only.
The trick was to edit /etc/pam.d/sshd
file to disable password authentication (explained in mforsetti's post and comments below)
Best Answer
well, you specifically asked for it.
Quoting
sshd_config
manual,So, adding
AuthenticationMethods publickey,keyboard-interactive
to yoursshd_config
, means you expect to havepublickey
authentication completed first, thenkeyboard-interactive
authentication completed next.If you expect to only authenticate with
publickey
, probably changeto
or, if you enable any other authentication methods and expect any single successful authentication method as an OK, you may use
You may want to disable
common-auth
from PAM configs, as in most Linux/Unix distributions,common-auth
includespam-unix.so
orpam-unix2.so
which requires account password.