SSH choice of second factor on login

ssh linux pam

There is, as far as I know, no standard/method that allows a user to select which MFA they want to use to login with from the commandline prompt during login. (But you could always write your own PAM module to do so ... #CurrentTeam did but didn't release that to the public domain.)

Not the most transparent for end-users, but something you can do with stock tools is to use PAM chaining to configure a fallback method.

Set the Yubico PAM module as sufficient and when you pass a valid One-Time-Password (OTP) you'll be granted access.

When what you entered does not validate as a correct Yubikey OTP, then authentication will fall through to the next allowed method, the Google-Authenticator PAM module.
That PAM module should be set to required.

If you then, after failing to enter a valid Yubibey OTP, enter a valid Google Authenticator code, you will be granted access and otherwise if you don't your authentication will be rejected.

That should somewhat similar to adding the following:

auth sufficient pam_yubico.so id=16 debug authfile=/path/to/mapping/file
auth required pam_google_authenticator.so

Related

Can I encrypt a whole pool with ZFSoL 0.8.1?
Is it possible to listen to a TCP port only with a shell, with no additional tools? [closed]
How to overprovision an SSD for holding a smaller ZFS volume (ZVOL)?
Hyper-V Server VM stuck at boot and I cannot delete it
Ubuntu iSCSI partition is not visible in lsblk
DC Replication Broken - RC4
package docker-ce requires containerd.io >= 1.4.1, but none of the providers can be installed
How do you know who or what is locking a removable disk?
Cloud infrastructure for home and personal experimentation? [closed]
Is it safe to upgrade an Ubuntu 8.10 Server to the latest release?
How can I automatically notify users of expiring passwords?
How many bad tapes are "normal"? [closed]