openssh bugs - Jan 2021 - [Bug 3257] New: PasswordAuthentication is no, but still accepts password

https://bugzilla.mindrot.org/show_bug.cgi?id=3257

            Bug ID: 3257
           Summary: PasswordAuthentication is no, but still accepts
                    password
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: gqqnb2005 at gmail.com

$ sudo sshd -d -T -C user=gqqnbig | grep passwordauthentication
debug1: sshd version OpenSSH_8.4, OpenSSL 1.1.1f  31 Mar 2020
debug1: user qiqig matched group list certificateLoginOnly at line 2

sshd tells if gqqnbig logs in, passwordauthentication is no.


Then I use psftp to log in with password. It succeeds.
> psftp qiqig at 172.25.9.11
Using username "gqqnbig".
gqqnbig at 172.25.9.11's password:
Remote working directory is /home/gqqnbig


I use default /etc/ssh/sshd_config, but I add certificateLoginOnly.conf
in  sshd_config.d.

$ cat /etc/ssh/sshd_config.d/certificateLoginOnly.conf
# Example of overriding settings on a per-user basis
Match Group certificateLoginOnly
     PasswordAuthentication  no


If I move the Match block to sshd_config, I can no longer use password
to log in.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3257

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I'm unable to replicate this. Could you please attached a debug log
from sshd? (Try "/path/to/sshd -ddd")

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3257

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to gqqnb2005 from comment #0)
[...]
> I use default /etc/ssh/sshd_config, but I add
> certificateLoginOnly.conf in  sshd_config.d.
The default sshd_config supplied by the OpenSSH team does not contain
any Include directives.

Showing the relevant parts of the configs would be useful, in
particular any instances of PasswordAuthentication in the main config,
any other Include statements and whether or not the included files
contain PasswordAuthentication directives.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3257

gqqnb2005 at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #3 from gqqnb2005 at gmail.com ---
It's my bad. I have two sshd, one is 8.4 and the other is 8.2.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3257

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.