I have set up a server with sshd allowing public key access. I also set
up google authenticator in pam by putting this line at the head of
/etc/pam.d/sshd
auth required pam_google_authenticator.so
If I connect to the server without a public key I get the authenticator
prompt and then password prompt. As expected.
If I connect with a public key I don't get an authenticator or password
prompt. However, I expected an authenticator prompt but not a password
prompt
As far as I can tell, sshd does all the public key authentication stuff,
and there isn't any documented way for pam to check the result of the
public key other than inspect an environment variable SSH_AUTH_INFO_0
All the docs I've read say pam doesn't do that out of the box.
Has pam been updated at or before Debian 11 ? If so, where can I manage
its actions?
