MFA with libpam-google-authenticator

[kalpana]

I'm trying to get MFA working for SSH logins to a new Ubuntu 22.04 server. I've installed the module and it is "working", but not exactly as I would like. I'm trying to match the functionality I have on a different distro and it's not quite there. Specifically, on Ubuntu, if I attempt to login with an invalid username or invalid password, it simply prompts for the password again. On the other distro, it will always prompt for the verification code even if the user is non-existent or the user is real but the password is wrong. I prefer this because it does not tell someone (or bot) what they have wrong. How can I have the Ubuntu system perform the same way? This is only for SSH login.

I've tried comparing /etc/pam.d/sshd files, but they are very different. I've tried to add additional auth required entries to match, as well as the forward_pass option but nothing seems to get what I want. Does anyone know the magic formula to get this functionality?

The other system login appears as:

$ ssh not_a_real_user@my-server
(not_a_real_user@my-server) Password:
(not_a_real_user@my-server) Verification code:
(not_a_real_user@my-server) Password:
(not_a_real_user@my-server) Verification code:
(not_a_real_user@my-server) Password:


The Ubuntu system is:
$ ssh -p 6200 not_a_real_user@ubuntu-server
(not_a_real_user@ubuntu-server) Password:
(not_a_real_user@ubuntu-server) Password:
(not_a_real_user@ubuntu-server) Password:


/etc/pam.d/sshd

# Standard Un*x authentication.
@include common-auth
auth required pam_google_authenticator.so nullok forward_pass secret=/home/${USER}/.ssh/.google_authenticator



/etc/ssh/sshd_config

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication yes