These lines are printed upon SSH login (some information removed for brevity/privacy)
Dec 17 18:47:54 <host> sshd[517463]: Connection from <client ip> port 35240 on <server ip> port 6229 rdomain ""
Dec 17 18:47:56 <host> sshd[517463]: Accepted key <pubkey> found at /etc/ssh/authorized_keys.d/tgrcdev:2
Dec 17 18:47:56 <host> sshd[517463]: Postponed publickey for tgrcdev from <client ip> port 35240 ssh2 [preauth]
Dec 17 18:47:56 <host> sshd[517463]: Accepted key <pubkey> found at /etc/ssh/authorized_keys.d/tgrcdev:2
Dec 17 18:47:56 <host> sshd[517463]: Accepted publickey for tgrcdev from <client ip> port 35240 ssh2: <pubkey>
Dec 17 18:47:56 <host> sshd[517463]: pam_unix(sshd:session): session opened for user tgrcdev(uid=1000) by (uid=0)
Dec 17 18:47:56 <host> sshd[517463]: User child is on pid 517475
From what I can tell, it uses the /etc/static/pam.d/sshd config, which does not contain the google authenticator module.
The only thing I can find online is the related issue.
https://github.com/NixOS/nixpkgs/issues/115044
One workaround given is to add security.pam.services.sshd.unixAuth = lib.mkForce true. This enables the verification code, but also enables password authentication, which I do not want enabled. It also does not prompt for a code when a private key is provided.
My ideal setup is pubkey authentication, and a verification code if I’m signing in from outside of my house network, but I’m not sure how much of this is possible with Nix’s packages at this time.