0

I’m trying to configure public key + TOTP-based 2FA based ssh on a server. The setup works perfectly, however I’m curious to know how exactly the configuration works.

This is what /etc/pam.d/sshd looks like.

#%PAM-1.0
auth       required     pam_sepermit.so
# auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
auth required pam_google_authenticator.so nullok
auth required pam_permit.so

My main question is:

  1. I had to comment out auth substack password-auth in order to stop PAM for asking for user passwords. However, how is it the case that account include password-auth and password include password-auth still need to be included? Are they even required or can they be safely removed?

Also:

  1. Should I move pam_google_authencticator and pam_permit to before post login? What effect would that have?

  2. Are all these pam modules really necessary?

Is there some resource that describes the intricacies of pam?

xrisk
  • 181
  • 1
  • 6

0 Answers0