chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get ...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I have sshd server

    sshd -V
        OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014

running on linux/64


    cat sshd_config
        PubkeyAuthentication                 yes
        PasswordAuthentication               no
        ChallengeResponseAuthentication      no
        GSSAPIAuthentication                 no
        GSSAPICleanupCredentials             no
        HostbasedAuthentication              no
        RhostsRSAAuthentication              no
        RSAAuthentication                    no

        UseLogin                             no
        PermitEmptyPasswords                 no
        UsePrivilegeSeparation               yes

I can ssh in with pubkey auth.

I want to ADD a 2nd factor authentication step; specifically Google Authenticator

I installed



At shell, I exec


and create the key

I edit

    vi /etc/pam.d/sshd
    +    auth       required


    vi /etc/ssh/sshd_config
    -    ChallengeResponseAuthentication      no
    +    ChallengeResponseAuthentication      yes
    +    KbdInteractiveAuthentication         yes

and restart the daemon

    systemctl restart sshd
        Dec  7 14:05:59 server systemd[1]: Stopping OpenSSH Daemon...
        Dec  7 14:05:59 server sshd[4821]: Received signal 15; terminating.
        Dec  7 14:05:59 server systemd[1]: Starting OpenSSH Daemon...
        Dec  7 14:05:59 server systemd[1]: Started OpenSSH Daemon.
        Dec  7 14:05:59 server sshd[5112]: Server listening on port 22.
        Dec  7 14:05:59 server sshd[5112]: Server listening on port 22.

In the client's ssh_config I added

    User                               root
    ChallengeResponseAuthentication    yes
    PreferredAuthentications           publickey,keyboard-interactive
    ForwardX11                         yes
    ForwardX11Trusted                  yes
    Compression                        no  

IIUC, now, when I login from the client to the server, I should ALWAYS be prompted for the Google Authenticator code after a successful pubkey auth.

But when I ssh in to the machine, I still get only the pubkey auth -- never get asked for the GA code, and I can login.

    ssh -v -l root server

        sshr_server -4v
        OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
        debug1: Reading configuration data /etc/ssh/ssh_config
        debug1: /etc/ssh/ssh_config line 89: Applying options for *
        debug1: /etc/ssh/ssh_config line 147: Applying options for *
        debug1: Connecting to [] port 22.
        debug1: fd 3 clearing O_NONBLOCK
        debug1: Connection established.
        debug1: identity file /etc/ssh/ssh.desktop.rsa-cert type -1
        debug1: Enabling compatibility mode for protocol 2.0
        debug1: Local version string SSH-2.0-OpenSSH_6.7
        debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
        debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
        debug1: SSH2_MSG_KEXINIT sent
        debug1: SSH2_MSG_KEXINIT received
        debug1: kex: server->client <implicit> none
        debug1: kex: client->server <implicit> none
        debug1: sending SSH2_MSG_KEX_ECDH_INIT
        debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
        debug1: Server host key: ED25519 2f:...
        debug1: Host '' is known and matches the ED25519 host key.
        debug1: Found key in /etc/ssh/ssh_known_hosts:1
        debug1: SSH2_MSG_NEWKEYS sent
        debug1: expecting SSH2_MSG_NEWKEYS
        debug1: SSH2_MSG_NEWKEYS received
        debug1: SSH2_MSG_SERVICE_REQUEST sent
        debug1: SSH2_MSG_SERVICE_ACCEPT received
        debug1: Authentications that can continue: publickey,keyboard-interactive
        debug1: Next authentication method: publickey
        debug1: Offering RSA public key: /etc/ssh/ssh.desktop.rsa
        debug1: Server accepts key: pkalg ssh-rsa blen 279
        debug1: Authentication succeeded (publickey).
        Authenticated to ([]:22).
        debug1: channel 0: new [client-session]
        debug1: Requesting
        debug1: Entering interactive session.
        debug1: Requesting X11 forwarding with authentication spoofing.
        debug1: Sending environment.
        debug1: Sending env LANG = en_US.UTF-8
        debug1: Sending env DISPLAY = :0

I'm not sure where to look for WHY this isn't working.

How do I get the 2nd-factor step turned on?  config change? add'l packages required?  etc?


Site Timeline