In a well controlled environment you typically do not want people logging into servers with privileged access (absent of additional external processes, such as a keystroke logged session manager). If you have 5 SAs all logging in as root then how can you audit activity and determine if it was Tom, Dick or Harry that rebooted the server? Similarly you don’t want DBAs directly logging in as oracle; how do you know who dropped the production table?
So I decided to play a little bit with google authenticator on my systems that are visible to the internet. ie my linode, Panix v-colo and ‘bastion’ host at home. The way sshd works, if you authenticate with public keys then PAM “auth” doesn’t seem to get called. So this is pretty much for “ChallengeResponse” (instead of “password”) authentication. Which makes it great for my need; if I’m coming from one of my own machines with my SSH key then I’m not impacted.