2FA passwordless for Local accounts with SSH Keys?

Steps For Configuring AuthNull PAM Authenticator (SSH Login) for Passwordless Authentication

1. Login into any VM , check out the pam.so file and did.sh script from either of the below path

   Github Link

2. Please move the pam_authenticator.so file into /usr/local/lib/security path (if “security” folder is not available, please create it), and also move the did.sh to / path (and provide right permissions if reqd)

3. Please add the below lines at the end of the file to /etc/pam.d/sshd

   auth required /usr/local/lib/security/pam_authenticator.so debug nullok

   auth required pam_permit.so

   Comment #@include common-auth - This will exclude /etc/pam.d/common-auth file

4. For SSH Key authentication,

Please add the below lines at the end of the file to /etc/ssh/sshd_config

AuthenticationMethods keyboard-interactive KbdInteractiveAuthentication yes

Please remove here public-key authencation, as we are using 1fa

5. Please restart the ssh service

   sudo systemctl restart sshd

6. Now login to the VM using ssh

   a. ssh username@ipaddress

This will intiate the passwordless login

7. Please check the logs from /var/log/auth.log file (for ubuntu based), and /var/log/secure (centos based)

8. In case there are any issues in running the .so file from logs .(use below options to fix)

   1. PAM (header )not found

      a. On the Centos and RHEL -build VMs, install the pam-devel package:

      sudo yum install pam-devel

   2. On all the Debian/Ubuntu -build virtual machines, install libpam0g-dev:

      sudo apt-get install libpam0g-dev

   3. Autoconf not installed /found

      apt-get install autoconf automake gdb git libffi-dev zlib1g-dev libssl-dev (Debian /ubuntu)

Note : To ignore any user group without using AuthNull's custom pam authentication, please configure the below in /etc/pam.d/sshd (The below will exclude users in group tempmfa to login without mfa pam)

auth [success=done default=ignore] pam_succeed_if.so user ingroup tempmfa