[BlueOnyx:26145] Re: BlueOnyx 5211R: Two-Factor-Auth (2FA)
Michael Stauber
mstauber at blueonyx.it
Fri Apr 21 15:34:19 -05 2023
Hi Taco,
> "PermitRootLogin without-password” to have only root access using public key?
I just added it to the mix and the RPMs with the change (for 5211R) will
be released on Monday:
https://devel.blueonyx.it/trac/changeset/4588/
Funny sidenote: If admin had 2FA enabled, I also activated it for
'root'. I already suspected that it might cause problems with
'PermitRootLogin without-password' - and indeed it did. :p
The Google Authenticator PAM module goes totally off the rails if
'PermitRootLogin without-password' is set and user 'root' tries to login
with a client that doesn't have SSH keys already exchanged. It brings up
the password prompt, shows the 2FA prompt and then takes a dive.
So if 'PermitRootLogin without-password' is configured, the GUI will now
automatically remove the 2FA credentials of 'root' and remove him from
the 'google-authenticator' group as well.
Likewise: If "admin" creates new 2FA details for himself while
'PermitRootLogin without-password' is set, the 'root' account won't
receive any special 2FA treatment.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list