Feature: Improve documentation for SSH login

[lluttrell]

Is there an existing request for this feature?

• I have searched the existing issues and found none that matched mine

Describe the feature

I have attempted to follow the documentation for SSH login and am finding it very unclear.

I follow it to the screenshot of a terminal emulator with two options:

1 - local password authentication
2 - Device authentication

and see "2" was selected.

It doesn't show what to do after this step. When I do this step, it makes me sign in with entra id, but then it asks for a local password to be set. I can then login using only that password, from any machine on the network

I am trying to authenticate users on an Ubuntu machine using the same credentials as their Microsoft email accounts. We want MFA each time they login. Is this possible with authd?

Describe the ideal solution

Documentation explaining what "Local Password Authentication" and "Device Authentication".

Expanded tutorial showing what an ssh login should look like.

Alternatives and current workarounds

I have not found a workaround using authd. It seems like it just allows password-based login from any machine after the account has been set up?

An alternative may be himmelblau. It is a similar project which allows for MFA entra id ssh login. There is a video showing MFA ssh login on the github page: https://github.com/himmelblau-idm/himmelblau

System information and logs

Environment

• broker version: 0.1+267a15c.f272cc1
• authd version: 0.3.6
• gnome shell version: N/A
• Distribution: Ubuntu
• Distribution version: 24.04

Log files

Nothing Relevant

Relevant information

Nothing Relevant

Double check your logs

• I have redacted any sensitive information from the logs

[absd193]

Also tested Authd on 24.04 LTS and I'm wondering how can we achieve a true login with MFA using the Entra ID credentials.
It seems it only happens on the first time we login. Once we login the first time, we are asked to define a local password for the account. Once we set it, we are able to login with the password as if we were using a local user and not an Entra ID user.

[doubledipped]

From other posts I believe that authd prompts for a local password to be set once OIDC authentication has been successfully completed to ensure that authentication is possible when the identity provider is unavailable (internet connectivity problems etc.). It is likely that a local password is also required for local privilege escalation (sudo). However, there should be a way to disable local authentication as a fall back option in order to force OIDC authentication if required. As per the original post, forcing MFA (+ conditional access policies) for SSH authentication is one of the main reasons for using the Entra ID broker and not simply as a just-in-time user account provisioning mechanism. If it is possible to limit local SSH authentication to specific named accounts (e.g. admin) through PAM modifications, it would be great to get some examples in the documentation.