I’m wondering if anyone knows what the issue might be in the following scenario, or if it’s an unsupported scenario. I have a Multipass instance (Ubuntu 20.04) which is configured to use libpam-google-authenticator for SSH. From a pure SSH perspective everything seems to be working as expected, and an MFA token is NOT required for the default
ubuntu user. However, multipass services seem to be unable to complete authentication on the instance.
Specifically, I cannot
mount, etc. (though I can directly
ssh to the instance ip). For clarity, if I
ssh ubuntu@[ip] this succeeds without a prompt for a token.
This would appear to be related to the instance’s SSHD
AuthenticationMethods setting, which has to be set to
publickey,keyboard-interactive for the authenticator module. If I change this to just
publickey all Multipass services work again.
I can, of course, override the setting for the
Match user ubuntu AuthenticationMethods publickey
…and this does work, but I would rather understand the issue, if I can, before blindly working around it.
Instance logs don’t seem to indicate authentication failures, just partial publickey authentication, then the connection is closed by the authenticating user. Host multipass logs only contain a generic
ssh failed to authenticate: '' message.
Any ideas? Is the above “override” the only way to get this working, or is there something else fundamentally flawed in my configuration? My search-engine skills have let me down on this one! As, perhaps, has my surface-level knowledge of Multipass and PAM and SSHD configuration. Any insight would be greatly appreciated.