Situation:
I have activated Google Authenticator 2FA for SSH logins on Ubuntu 16.04 but made it optional in the /etc/pam.d/sshd:
auth required pam_google_authenticator.so nullok
I have setup the 2FA for accounts which can login from the Internet but not for accounts which are restricted to access from the same subnet because there are cronjobs running which have to transfer stuff from server to server.
This works fantastic for every account except root which is of course restricted to exactly one IP address because production and standby servers have to exchange SSL keys.
Case A: When I try to login with a normal user account with SSH key but without 2FA: no problem.
Case B: When I try to login with root with SSH key but without 2FA I get this error in /var/log/auth.log:
Aug 20 23:39:59 host01 sshd[28638]: fatal: Internal error: PAM auth succeeded when it should have failed
Your help would be very appreciated.
Best Answer
This is the expected behavior. Assuming you had
PermitRootLogin without-password
, the man page for thePermitRootLogin
says:PAM is considered keyboard-interactive. Therefore, with
PermitRootLogin without-password
PAM should not allow root to login, which is the behavior you observed.There is a difference between
without-password
andyes
for that option. You just observed it. Withyes
, you can login with passwords or PAM, and withwithout-password
you cannot login with these methods. You could still login with, e.g., a public key.Changing
PermitRootLogin
toyes
solves your problem, but please consider that all this headache is there for a reason. Unless you really know what you are doing,PermitRootLogin
should be set tono
. If you need to do rooty things remotely, login as a user withsudo
privileges.