2FA with Public Key Authentication and Password for SSH with PAM Support (pam_duo)

I have followed this link: Duo Unix - 2FA for SSH with PAM Support (pam_duo) | Duo Security on how to setup DUO 2FA with Public Key Authentication. Is there a way to also add Password Authentication to it so that Users who decide to use SSH keys only have to accept the DUO prompt(and not have to type in their password) and users who decide to not use SSH keys but use password will get the DUO prompt?

Any assistance with this would be very much appreciated.

Hi tenajsystems,

What you are asking for is possible, but not wholeheartedly recommended. In your /etc/ssh/sshd_config file you can set:

UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication yes
PubKeyAuthentication yes
PasswordAuthentication yes
ForceCommand /usr/sbin/login_duo

This configuration does not use PAM.

We do not completely support this method because of a potential security risk from using ForceCommand to open a new shell. There is potential for someone to configure the bashrc to open a shell before the shell protected by Duo loads.

@Amy Can what I described be done with PAM(using the pam_duo and not the login_duo)?

No, you can only achieve what you describe using the login_duo.