I'm trying to configure sshd on a VPS instance, and would like to have an authentication witch is publickey,keyboard-interactive (public key AND keyboard-interactive).
The problem is that the server keeps asking for serveruser password on login after the public key was sent and accepted. It should only ask for the 2FA code.
I am able to login using publickey, serveruser password and 2FA code.
I have two other similar setups that work great but I remember having trouble setting those up, like using black magic in bizarre configuration files.
I spent countless hours trying to configure sshd this way on other hosts and now I don't seem to achieve it.
I also tried to compare client and server logs on a working setup and this one but the logs are the same! (Except with IPs, ports and fingerprints)
SSH client log : https://pastebin.com/P1xsKTwm
Server's /etc/ssh/sshd_config : https://pastebin.com/qSH7GAmR
Server's /etc/pam.d/sshd : https://pastebin.com/YBKY91Rk
(sshd was restarted using sudo systemctl restart sshd.service)
EDIT : keyboard-interactive is not only for 2FA
Read the comments in mforsetti's answer below, I did not understood that keyboard-interactive was not for 2FA only.
The trick was to edit /etc/pam.d/sshd file to disable password authentication (explained in mforsetti's post and comments below)
Best Answer
well, you specifically asked for it.
Quoting
sshd_configmanual,So, adding
AuthenticationMethods publickey,keyboard-interactiveto yoursshd_config, means you expect to havepublickeyauthentication completed first, thenkeyboard-interactiveauthentication completed next.If you expect to only authenticate with
publickey, probably changeto
or, if you enable any other authentication methods and expect any single successful authentication method as an OK, you may use
You may want to disable
common-authfrom PAM configs, as in most Linux/Unix distributions,common-authincludespam-unix.soorpam-unix2.sowhich requires account password.