I’ve reflected a bit more on this, and my previous answer would lead to no second factor at all (for normal ssh logins) directly to the agent server. A better and more secure approach would be to set up google authenticator on both master and agent, and make sure to allow reuse of the token when a user initialize googole auth by answering No to the following question:
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) n
I’m not certain how the grace_period impacts the set up, it’s not something I’ve played around with before, so better leave it out for now.
yeah true, the SSH wouldn’t have 2FA anymore which would be a problem. I have now started setting up a VM to play the role of Master which won’t host any sessions itself, only balance the sessions between the two Agents (the old Master and the old Agent). The VM will only have password auth and both Agents keep the 2FA PAM plugin. This way we have a consistent config on both Agents and can backup the Master-VM easily in Proxmox.
It would be better to configure the Master to also have 2FA. Just make sure to allow the OTP to be used twice when setting up google authenticator:
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) n
Which would be more of a security risk (if any): Letting the Master run without 2FA or allowing re-use? The main reason I want to set up a new Master is to avoid allowing re-use, since the warning message from Google Auth sounds like it could be a security risk.
