Multipass services with libpam-google-authenticator


I’m wondering if anyone knows what the issue might be in the following scenario, or if it’s an unsupported scenario. I have a Multipass instance (Ubuntu 20.04) which is configured to use libpam-google-authenticator for SSH. From a pure SSH perspective everything seems to be working as expected, and an MFA token is NOT required for the default ubuntu user. However, multipass services seem to be unable to complete authentication on the instance.

Specifically, I cannot shell, mount, etc. (though I can directly ssh to the instance ip). For clarity, if I ssh ubuntu@[ip] this succeeds without a prompt for a token.

This would appear to be related to the instance’s SSHD AuthenticationMethods setting, which has to be set to publickey,keyboard-interactive for the authenticator module. If I change this to just publickey all Multipass services work again.

I can, of course, override the setting for the ubuntu user…

Match user ubuntu
  AuthenticationMethods publickey

…and this does work, but I would rather understand the issue, if I can, before blindly working around it.

Instance logs don’t seem to indicate authentication failures, just partial publickey authentication, then the connection is closed by the authenticating user. Host multipass logs only contain a generic ssh failed to authenticate: '' message.

Any ideas? Is the above “override” the only way to get this working, or is there something else fundamentally flawed in my configuration? My search-engine skills have let me down on this one! As, perhaps, has my surface-level knowledge of Multipass and PAM and SSHD configuration. Any insight would be greatly appreciated.

Hi @iamme, Multipass relies on pubkey SSH authentitcation to the ubuntu user, but using a custom key (we don’t even have access to your keys for security reasons). As long as you can ssh like so, multipass shell should work. You should be able to get more information about auth issues this way, too.

$ sudo ssh ubuntu@<IP> -i /var/snap/multipass/common/data/multipassd/ssh-keys/id_rsa

Hi @saviq, thank you for the reply. Sorry, I should have mentioned that I had already tried the following (macos)…

sudo ssh ubuntu@[ip] -i '/var/root/Library/Application Support/multipassd/ssh-keys/id_rsa' -o "IdentitiesOnly=yes"

… and it works without issue. However, multipass shell [name] does not.

If I change the AuthenticationMethods setting back to publickey, multipass shell [name] then works (no other changes made). i.e. with only a difference in this setting on the instance:

Value: publickey

  • ssh ubuntu@[ip] works
  • ssh ubuntu@[ip] explicitly using the multipass key works
  • multipass shell [name] works

Value: publickey,keyboard-interactive

  • ssh ubuntu@[ip] works
  • ssh ubuntu@[ip] explicitly using the multipass key works
  • multipass shell [name] fails (as do other multipass commands)

So I suppose I’m wondering if there’s a reason why the multipass services would fail based on this setting, when direct ssh’ing would not. It definitely has me stumped!

Thank you again for your reply.