[SOLVED] Question about enabling keyboard-authentication in ssh

Succulent of your garden · 2026-03-05 14:56:48

hi!

So I'm learning how to do keyboard-authentication, because it seems it can offer 2FA in the process if you want to. so As far as I know I should put in the /etc/ssh/sshd_config:

PasswordAuthentication no #To not bypass 2FA or others basically
kbdInteractiveAuthentication yes #uncomment this to enable it

Is that correct to enable it right ? please let me know.

But after that I had more questions in how to setup it, I know that if you want to use PAM to mange the authentication you should set:

UsePAM yes

But how someone could use a PAM module to make 2FA possible to ssh ? One must create a module or there is something by default ?

Also in the ssh_config you can see the kerberos and GSSAPI options, which are these by default, and comented:

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

My question is: If GSSAPI enables the usage of kerberos, in ssh I must uncoment KerberosAuthentication and GSSAPIAuthentication and set them to yes to make usage of Kerberos ? Or I just need to just setup KerberosAuthentication yes to make a basic kerberos configuration work ? I'm not sure if you need to enable GSSAPI to make Kerberos works in ssh.

Thanks in advance for the help ^^

Last edited by Succulent of your garden (2026-03-08 14:28:19)

seth · 2026-03-05 17:02:18

But how someone could use a PAM module to make 2FA possible to ssh ?

https://wiki.archlinux.org/title/OpenSS … ublic_keys
But what you want is simply https://wiki.archlinux.org/title/OpenSS … entication - that /is/ "2FA" (provided the private key is password protected which is the default) and isn't convoluted or actually silly like most other "2FA" systems (TOTP being particularly dumb)

-thc · 2026-03-05 17:54:54

For long years I considered a password-protected secret key for SSH public key authentication to be a "2FA". Yes - the user has to have one factor (secret key file) and has to know a second factor (passphrase) but the server only checks one factor (does the key pair match). After learning that I jokingly called this a "1.5-factor authentication".

A true "2FA" consists of two factors that are both independently checked by the server and each one has to match.

seth · 2026-03-05 20:32:57

A true "2FA" consists of two factors that are both independently checked by the server and each one has to match.

Ok.

But the single advantage of that mandate is that the server gets to control whether there really is a 2nd factor.
The downside (usually) is that the symmetric "have" is stored (no hash) on the server and transmitted over the internet at least once and the "know" (password) transmitted over the internet and hashed server-side.

And at this point I'd argue that we're not talking about things *you* know and have but "people > 1" know and have - it might be true 2FA, but is also rather useless compare to a system that guarantees 2 things I know and have *exclusively*.
¯\_(ツ)_/¯

Succulent of your garden · 2026-03-05 21:02:23

seth wrote:

https://wiki.archlinux.org/title/OpenSS … ublic_keys

Thanks ^^

seth wrote:

But what you want is simply https://wiki.archlinux.org/title/OpenSS … entication - that /is/ "2FA" (provided the private key is password protected which is the default) and isn't convoluted or actually silly like most other "2FA" systems (TOTP being particularly dumb)

Yeah I know, it seems that pem by RSA or Ed25519 is always like the way to go by many reasons.But i found interesting that you can in theory put like an TOTP during the validation process. LIke u can have the ssh key + the passphrase and also at the end an TOTP.

But my main question is now: How you can attach a pam module into the server ? I mean surely it needs to be in the /etc/pam.d/ but how can someone create a pam module for Linux ? There is like a collection of pam modules available that someone can use ? I still don't grasp in detail that part in the process of validating authentications.

-thc wrote:

For long years I considered a password-protected secret key for SSH public key authentication to be a "2FA". Yes - the user has to have one factor (secret key file) and has to know a second factor (passphrase) but the server only checks one factor (does the key pair match). After learning that I jokingly called this a "1.5-factor authentication".

LoL, yeah I get it.

seth wrote:

it might be true 2FA, but is also rather useless compare to a system that guarantees 2 things I know and have *exclusively*.
¯\_(ツ)_/¯

Butt you have the private key and the passphrase right ? those are two things ?

seth · 2026-03-05 21:18:29

But my main question is now: How you can attach a pam module into the server ?

There's a sample pam config invoking google authenticator in the wiki - ssh will use pam to authenticate you and pam will use whatever Pluggable Access Module has been configured.
https://aur.archlinux.org/packages/goog … libpam-git

Succulent of your garden · 2026-03-05 21:28:53

seth wrote:

There's a sample pam config invoking google authenticator in the wiki - ssh will use pam to authenticate you and pam will use whatever Pluggable Access Module has been configured.
https://aur.archlinux.org/packages/goog … libpam-git

Yep I know, but I mean: how you can attach an oneself made pam module ? It does exists a documentation to make custom pam modules ?

seth · 2026-03-05 21:38:41

You mean to write your own, custom PAM module?
There're some examples in https://github.com/linux-pam/linux-pam/ … r/examples and you can look at the authenticator PAM since you probably intend to do similar things and there's https://github.com/OdaiGH/pam-totp

This is strictly for fun and academic reasons, trying to write a pam module?

Succulent of your garden · 2026-03-05 21:57:07

seth wrote:

You mean to write your own, custom PAM module?
There're some examples in https://github.com/linux-pam/linux-pam/ … r/examples and you can look at the authenticator PAM since you probably intend to do similar things and there's https://github.com/OdaiGH/pam-totp

Thanks ^^

seth wrote:

This is strictly for fun and academic reasons, trying to write a pam module?

Or at least understand how to make that, but in a like not so distant future, because I need to do all other stuff before

But yeah just for learning and fun, and to be a better IT person ^^

Arch Linux

#1 2026-03-05 14:56:48

[SOLVED] Question about enabling keyboard-authentication in ssh

#2 2026-03-05 17:02:18

Re: [SOLVED] Question about enabling keyboard-authentication in ssh

#3 2026-03-05 17:54:54

Re: [SOLVED] Question about enabling keyboard-authentication in ssh

#4 2026-03-05 20:32:57

Re: [SOLVED] Question about enabling keyboard-authentication in ssh

#5 2026-03-05 21:02:23

Re: [SOLVED] Question about enabling keyboard-authentication in ssh

#6 2026-03-05 21:18:29

Re: [SOLVED] Question about enabling keyboard-authentication in ssh

#7 2026-03-05 21:28:53

Re: [SOLVED] Question about enabling keyboard-authentication in ssh

#8 2026-03-05 21:38:41

Re: [SOLVED] Question about enabling keyboard-authentication in ssh

#9 2026-03-05 21:57:07

Re: [SOLVED] Question about enabling keyboard-authentication in ssh

Board footer