Allow AD service account SSH to Linux systems without 2FA

davidpar007 · June 13, 2018, 11:00pm

I have Windows AD server and all of the linux computers are joined to AD.

Recently, 2FA has been activated, I wish to exclude some of the domain service accounts from 2FA

[root@Linux]# less /etc/pam_radius_acl.conf
sshd:*

[root@Linux]# /etc/pam.d/sshd

auth required pam_sepermit.so
auth requisite pam_defender.so
auth requisite pam_defender.so
auth substack password-auth
auth include postlogin
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
-session optional pam_reauthorize.so prepare

[root@Linux]# less /etc/ssh/sshd_config 
UsePAM yes
ChalllengeResponseAuthentication yes