**Update 1**: I'm able to apply all publickey + password + OTP with this basic config in /etc/pam.d/common-auth.

lang-sh
auth [success=ok] pam_unix.so
auth [success=1] pam_google_authenticator.so nullok echo_verification_code  [authtok_prompt=Enter your OTP:]
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

I will try to apply pam_faillock.so to this as the original plan. --------- **Original question:** I'm using Debian 10 and 12 and would like to make my users only successfully SSH to the server if they have matched publickey, then input their password, and then follow with OTP (google-authenticator). In short, SSH should require publickey + password + OTP. I already successfully config the combination of publickey + password or publickey + OTP, but still struggle to combine all of the three. Please help me configure it. My try so far: /etc/pam.d/common-auth

lang-sh
auth    required       pam_faillock.so preauth audit silent deny=5 unlock_time=1800
auth    sufficient     pam_unix.so try_first_pass
auth    [default=die]  pam_faillock.so authfail audit deny=5 fail_interval=120 unlock_time=1800
auth    sufficient     pam_faillock.so authsucc audit deny=5 fail_interval=120 unlock_time=1800
auth    required [success=1] pam_google_authenticator.so echo_verification_code
auth    requisite      pam_deny.so
auth    required       pam_permit.so

/etc/pam.d/sshd

lang-sh
@include common-auth
account    required     pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
@include common-session
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so standard noenv # 
session    required     pam_limits.so
session    required     pam_env.so # 
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
@include common-password

/etc/ssh/sshd_config

lang-sh
Include /etc/ssh/sshd_config.d/*.conf
MaxAuthTries 5
MaxSessions 1
PubkeyAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
KbdInteractiveAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd no
ClientAliveInterval 60
ClientAliveCountMax 15
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password,keyboard-interactive

When trying to connect: ssh -i user@server -vvv

lang-shell
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: 
debug3: sign_and_send_pubkey: 
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
Authenticated with partial success.
debug1: Authentications that can continue: password
debug3: start over, passed a different list password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup password
debug3: remaining preferred: ,keyboard-interactive,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
user@server's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug3: start over, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
(user@server) Password:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
(user@server) Password:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
(user@server) Password:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
user@server: Permission denied (keyboard-interactive).

It failed in step 3 (keyboard-interactive), and some things were different from the normal OTP verification: - It did not ask for the Verification code: but just asked (user@server) Password:. - It did not show the raw OTP code when I inputted despite config echo_verification_code in common-auth. P/s: I also configured pam_faillock.so to lockout users for failed login attempts.

I just started using a Yubikey to do SSH logins by following this guide. It works fine - but only as long as the Yubikey is able to do OTP. After a few accidental touches on the key spewing a random string into places I don't want it I figured I could just disable OTP as I'm only using PIV. Cert/key is there and working:

$ ykman --version
YubiKey Manager (ykman) version: 5.1.0
$ cat /etc/fedora-release 
Fedora release 38 (Thirty Eight)
$ ykman piv info
PIV version:              5.4.3
PIN tries remaining:      3/3
Management key algorithm: TDES
CHUID: No data available
CCC:   No data available
Slot 9A (AUTHENTICATION):
  Algorithm:   ECCP256
  Subject DN:  CN=SSH key
  Issuer DN:   CN=SSH key
  Serial:      14009452700000000000
  Fingerprint: 1fa375971a89c6f82f3b73218f717cb1d031fbd61c94965qqqqqqqqqqqqqqqqq
  Not before:  2023-03-10T10:02:12
  Not after:   2024-03-09T10:02:12

I can disable OTP:

$ ykman config usb --list
OTP
FIDO U2F
FIDO2
OATH
PIV
OpenPGP

$ ykman config usb --disable OTP
USB configuration changes:
  Disable OTP
  The YubiKey will reboot
Proceed? [y/N]: y

$ ykman config usb --list
FIDO U2F
FIDO2
OATH
PIV
OpenPGP

But after doing that, SSH no longer works, and I'm prompted for a password instead of the expected key-based login I can enable OTP again:

$ ykman config usb --enable OTP
USB configuration changes:
  Enable OTP
  The YubiKey will reboot
Proceed? [y/N]: y

Which restores SSH functionality. Why must OTP be enabled for PIV to work?

I have a 2FA setup on my network for certain kinds of authentication, but not others. The way it currently works is a combination of pam_ldap for passwords, and pam_oath for TOTP. PAM is configured in a way that it requires only pam_ldap for local login/unlock, only pam_oath for SSH (because that already requires publickey), and both for sudo and su. The problem with this setup is that pam_oath reads from /etc/users.oath. I need to periodically regenerate this file based on LDAP contents. Even worse, it also writes to this file, which I currently just ignore. There is a TOTP module for OpenLDAP I want to try, called [slapo-otp](https://man7.org/linux/man-pages/man5/slapo-otp.5.html) . This would solve the problem of having to keep the file in sync, but I would lose the option to skip it in some cases. I don't want to use it for unlocking the screen every time, people will just turn off the screen locker, honestly even I would do that. Please give me some ideas.

I have generated a QR from here defining a time period of 60sec and while scanning QR-Code through google authenticator app it uses the default time step of only 30seconds. Does google authenticator support a time step of more than 30sec? If not why? How can I make it to support it?

I am trying to setup an SSH server where some users prefer to use an SSH key but others prefer LDAP provided passwords. I found out that I can set in sshd_config for publickey + PAM or PAM only authentication.

AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam

The PAM part works as expected. User enters their LDAP password and they are asked a verification code. However publickey authentication works so that user uses key + then asked to enter LDAP password + then enter verification code. (we do not want key users to also be asked for password) Is it possible to support key users so they do not need to enter their password while 2FA verification code is still asked. Meanwhile people who does not provide a key, still can use passwords for authentication and also asked for 2FA verification code? Note: We want to have a single SSH server process running in the system. We prefer not to use a solution like running multiple SSH servers on different ports. Thanks!

I running freeradius 3.* on my server with The MultiOTP Version is 4.3.1.1 and for configuring FreeRADIUS I have used this guide: http://wiki.freeradius.org/guide/multiOTP-HOWTO and when I use radiusd -X the worng is just like this whith my policy.conf root@debian:~# cat /usr/local/etc/raddb/policy.d/policy.conf policy { # Change to a specific prefix if you want to deal with normal PAP authentication as well as OTP # e.g. "multiotp_prefix = 'otp:'" multiotp_prefix = '' multiotp.authorize { # This test is for decimal OTP code only, otherwise you will have to change it # Try for example this simple test: if (!control:Auth-Type) { if (control:Auth-Type == 'MS-CHAP') { update control { Auth-Type := multiotpmschap } } elsif (!control:Auth-Type && User-Password =~ /^${policy.multiotp_prefix}([0-9]{10})$/) { update control { Auth-Type := multiotp } } } } I find more any documents and wiki but it don't work. So I want konw what is wrong with it.

Assume you need the OTPs by devices which are separate from the Debian system which generates the codes. Here, the U2F does not work in all cases so I need OTPs. I am trying to add offline OTP functionality by YubiKey Neo in Debian. My idea: 1. have some key server on your Linux 2. some frontend to generate OTPs. I have not found any GUI/UI frontend for the generation of OTPs by apt search .... Things already installed and partially tested apt search YubiHSM sudo apt install yubikey-val sudo apt install python-serial python-crypto sudo apt install yhsm-tools yhsm-yubikey-ksm yhsm-validation-server yhsm-daemon I added username:keyID in $HOME/.yubico/authorized_yubikeys. I did not manage to set up any server system in /etc/pam.d/common-auth. Rejected OTP types 1. [Celada] time-based OTPs (TOPT) because no clock in YubiKey 2. Ticket #00019568: Their answer says that it is not possible in the following. > This is not supported by the YubiKey. If you are looking to ask for a new feature request, that is best done at our forum in the Suggestions section (https://forum.yubico.com/viewforum.php?f=12&sid=6d5c3368d99340d20ef691f2146c44c7) . OS: Debian 8.7 Fido U2F: Yubico YubiKey Neo, YubiKey 4 White Yubico ticket for sequence-based OTPs: #00019568 *I want to genarate OTPs by YubiKey Neo. The following thread proposes that OTP should be sequence-based OTPs. How can you genarate such OTPs by YubiKey Neo in Linux Debian 8.7?* Yubico forum thread: How can you genarate OTPs offline by YubiKey in Debian?