openssh unix dev - Jan 2021 - pam_duo 2FA && ssh-key access

On 26/01/2021 20:17, Mauricio Tavares wrote:
>        I've always thought the comma meant "if this does not work,
try this next"
Nope. From sshd_config(5):

 ???? AuthenticationMethods
 ???????????? Specifies the authentication methods that must be 
successfully completed for a user to be
 ???????????? granted access.? This option must be followed by one or 
more comma-separated lists of authen?
 ???????????? tication method names, or by the single string any to 
indicate the default behaviour of
 ???????????? accepting any single authentication method.? If the 
default is overridden, then *successful**
**???????????? authentication requires completion of every method in at 
least one of these lists*.

 ???????????? For example, "publickey,password 
publickey,keyboard-interactive" would require the user to
 ???????????? complete public key authentication, followed by either 
password or keyboard interactive
 ???????????? authentication.? Only methods that are next in one or more 
lists are offered at each stage,
 ???????????? so for this example it would not be possible to attempt 
password or keyboard-interactive
 ???????????? authentication before public key.

 ???????????? For keyboard interactive authentication it is also 
possible to restrict authentication to a
 ???????????? specific device by appending a colon followed by the 
device identifier bsdauth, pam, or skey,
 ???????????? depending on the server configuration.? For example, 
"keyboard-interactive:bsdauth" would
 ???????????? restrict keyboard interactive authentication to the 
bsdauth device.

Hi Brian,

Thanks... setting "AuthenticationMethods
publickey,keyboard-interactive:pam" works, in that even with a valid public
key I get prompted for a password and 2FA.
I understand from the reading of the manpage that there is no
"publickey:pam" string that would allow for just a 2FA prompt if a
valid
public key was presented?
I'm a little unclear as to why "password' and
"keyboard-interactive" are
seen as two distinct authentication methods...

Thanks again!

On Tue, Jan 26, 2021 at 3:37 PM Brian Candler <b.candler at pobox.com>
wrote:
> On 26/01/2021 20:17, Mauricio Tavares wrote:
> >        I've always thought the comma meant "if this does not
work, try
> this next"
>
> Nope. From sshd_config(5):
>
>       AuthenticationMethods
>               Specifies the authentication methods that must be
> successfully completed for a user to be
>               granted access.  This option must be followed by one or
> more comma-separated lists of authen?
>               tication method names, or by the single string any to
> indicate the default behaviour of
>               accepting any single authentication method.  If the
> default is overridden, then *successful**
> **             authentication requires completion of every method in at
> least one of these lists*.
>
>               For example, "publickey,password
> publickey,keyboard-interactive" would require the user to
>               complete public key authentication, followed by either
> password or keyboard interactive
>               authentication.  Only methods that are next in one or more
> lists are offered at each stage,
>               so for this example it would not be possible to attempt
> password or keyboard-interactive
>               authentication before public key.
>
>               For keyboard interactive authentication it is also
> possible to restrict authentication to a
>               specific device by appending a colon followed by the
> device identifier bsdauth, pam, or skey,
>               depending on the server configuration.  For example,
> "keyboard-interactive:bsdauth" would
>               restrict keyboard interactive authentication to the
> bsdauth device.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>