Disable PAM module for group
I recently enabled two-factor-authentication using google-authenticator on my SSH server. However I am now facing a problem:
I have a different group of users on my server which I am using for SFTP, but that group is no longer able to login since 2FA isn't set up for the users in the group. Is it possible to disable the google-authenticator module for that group? Enabling it for the users in the group is not an option because multiple users will be using this account.
PS: I use openssh-server
You can use pam_succeed_if module (see manual page) before the pam_google_authenticator to skip this part for your group:
# the other authentication methods, such as @include common-auth
auth [success=1 default=ignore] pam_succeed_if.so user ingroup group
auth required pam_google_authenticator ...
Some SFTP clients can handle 2FA. For example, I'm using 2FA with FileZilla and WinSCP and they works. Also I have setup ssh-key authentication and it works alongside of 2FA.
However your question is interesting and I made a short survey. I found this answer.
So, it is possible (and easy) to run separate ssh instances. I'm already tested it.
-
Make separate copies of
sshd_configfile.$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_pwd $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_2fa -
Edit these new
configfiles. One of the things you must change is the shh port. According to the example:2.a)
sshd_config_pwdspecific lines are:Port 1022 ... PasswordAuthentication yes ChallengeResponseAuthentication no UsePAM no2.b)
sshd_config_2faspecific lines are:Port 2022 ... PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes -
Open the necessary ports into the firewall. According to the example:
$ sudo ufw limit 1022 $ sudo ufw limit 2022 -
Run the new ssh instances:
$ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config_pwd $ sudo /usr/sbin/sshd -f /etc/ssh/sshd_config_2fa
That's it.