Problem with MFA Activation

Hi ,

I’m trying to activate MFA on my system but once I’m configuring the keyboard-interactive methods , it is not allowed and so my sshd service won’t restart .

What I’m doing wrong ???

Here is the update that I have made to /etc/ssh/sshd_config file

PermitRootLogin no
PubkeyAuthentication yes
IgnoreRhosts yes
PasswordAuthentication yes
PermitEmptyPasswords no
KbdInteractiveAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

The /etc/pam.d/sshd file is updated like this

# auth substack passw-auth
auth required nullok

Then when I’m restart my sshd service
I got the following error

sshd[5723]: Disabled method "keyboard-interactive" in AuthenticationMethods list "publickey,keyboard>
AuthenticationMethods cannot be satisfied by enabled authentication methods
sshd.service: Main process exited, code=exited, status=255/EXCEPTION

Why is it not working properly ?

If I remove the keyboard-interactive method , then it is logging well automatically with my keys.
I want to authenticate with the key and the OTP

Many thanks



I found that I need also to update the /etc/ssh/sshd_config.d/50-redhat.conf
Because there is a directive in that file which is

ChallengeResponseAuthentication no

so you have to update to yes if not it is not working .
And you can’t populate it in the sshd_config file as it is not interpreted .

Now moving to my following error
The google_authenticator can’t create a tempfile or update the secret file


Source of this behavior Issue MFA , look at the cause …

ok find my other error .
The google_authenticator file is created by default in the ${HOME} folder and when Google Authenticator is trying to read and update it at the login . It is blocker by SELINUX.

So the workaround is for example to put the .google_authenticator file in another folder like the ${HOME}/.ssh folder and specify also this parameter in /etc/pam.d/sshd file

auth required secret=${HOME}/.ssh/.google_authenticator 

Updated like in the above example , you don’t need anymore to disable SELINUX and it is working fine