I'm trying to create an authentication process to a Amazon EC2 Ubuntu instance that will require the usage a key-pair generated by Amazon AND using Google-Authenticator. Ergo I want to login to the instance with my pem file and then be prompted with the verification code prompt.
Verification code:
I've managed to login to my server using my pem file. I have also managed to install Google-Authenticator successfully and use it to login with a separate user (not ubuntu) that I've created and given a specific password.
On my /etc/ssh/sshd_config I have:
ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes
AuthenticationMethods keyboard-interactive
and on my /etc/pam.d/sshd:
@include common-auth
auth required pam_google_authenticator.so
If I add publickey to AuthenticationMethods then on login I'm prompted for a password instead of using the pem file I'm providing in:
ssh -i my-key.pem ubuntu@*.*.*.*
How can I get OpenSSH to authenticate via pem file --> google-authenticator?
Thanks!
My solution was to be checked by a pem file, a password and a verification OTP. For this I had:
In: /etc/pam.d/sshd/:
@include common-auth
auth required pam_sepermit.so
auth required pam_google_authenticator.so
In: /etc/ssh/sshd_config/:
AuthenticationMethods publickey,keyboard-interactive
The rest of the configs are as described above. Notice publickey comes before keyboard-interactive in AuthenticationMethods, otherwise the verification code comes first and then the pem file checking.