RHEL 7 google-authenticator publickey只能使用可选的MFA

我正在尝试在RHEL 7上设置MFA，并遇到鸡和鸡蛋问题。 如果我在pam中启用MFA，则无法login到设置.google-authenticator文件。 我知道pam中的nullok选项应该允许这个工作和通过，但我没有任何运气。 最终目标是使用可选MFA的publickey ssh访问。 注：如果在启用pam模块之前创build.google-authenticator文件，MFA可以正常工作。

# ssh client debug *snip* Authenticated with partial success. debug1: Authentications that can continue: keyboard-interactive debug3: start over, passed a different list keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug1: No more authentication methods to try. # secure log Sep 29 09:44:28 ip-xxxxxx sshd(pam_google_authenticator)[9502]: debug: start of google_authenticator for "ec2-user" Sep 29 09:44:28 ip-xxxxxx sshd[9500]: error: PAM: Permission denied for ec2-user from xxxxxxxxxxxx # /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so #auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare auth required pam_google_authenticator.so nullok debug # /etc/ssh/sshd_config HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no ChallengeResponseAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server AuthenticationMethods publickey,keyboard-interactive 

 #%PAM-1.0 auth required pam_sepermit.so auth requisite pam_google_authenticator.so forward_pass nullok auth required pam_sss.so use_first_pass #auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare 

  AuthenticationMethods "publickey" "password" 

 AuthenticationMethods "publickey,gssapi-with-mic" "password"