bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-19 21:42 UTC
[Bug 2502] New: using AuthenticationMethods to require s/key and pam doesn't work
https://bugzilla.mindrot.org/show_bug.cgi?id=2502
Bug ID: 2502
Summary: using AuthenticationMethods to require s/key and pam
doesn't work
Product: Portable OpenSSH
Version: 7.1p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: kmk at sanitarium.net
If I put in sshd_config:
UsePAM yes
AuthenticationMethods
keyboard-interactive:skey,keyboard-interactive:pam
ChallengeResponseAuthentication yes
(PasswordAuthentication yes or no doesn't matter)
I would expect to be prompted for an s/key challenge then whatever is
supported by pam. The intention is to make pam require google
authenticator but I have tried this with Gentoo's stock password setup
too.
When I connect I get partial authentication success from s/key but then
the server hangs up on me. When I put sshd in debug mode I get this:
...
debug1: authentication methods list 0:
keyboard-interactive:skey,keyboard-interactive:pam
debug1: authentication methods list 0:
keyboard-interactive:skey,keyboard-interactive:pam [preauth]
debug1: PAM: initializing for "kmk"
debug1: PAM: setting PAM_RHOST to "172.22.100.17"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user kmk service ssh-connection method
keyboard-interactive [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: keyboard-interactive devs [preauth]
debug1: auth2_challenge: user=kmk devs= [preauth]
debug1: kbdint_alloc: devices 'pam,skey' [preauth]
debug1: auth2_challenge_start: trying authentication method 'skey'
[preauth]
Postponed keyboard-interactive for kmk from 172.22.100.17 port 56339
ssh2 [preauth]
auth2_update_methods_lists: method not in AuthenticationMethods
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 1596
I see in the source above that error message:
/* This should not happen, but would be bad if it did */
So maybe this is an unhandled use case?
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-19 23:13 UTC
[Bug 2502] using AuthenticationMethods to require s/key and pam doesn't work
https://bugzilla.mindrot.org/show_bug.cgi?id=2502
--- Comment #1 from Kevin Korb <kmk at sanitarium.net> ---
I worked with feandil_ in IRC on this issue and he came up with this
patch which appears to solve my problem:
--- a/monitor.c
+++ b/monitor.c
@@ -1044,7 +1044,8 @@ mm_answer_skeyrespond(int sock, Buffer *m)
debug3("%s: sending authenticated: %d", __func__, authok);
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
- auth_method = "skey";
+ auth_method = "keyboard-interactive";
+ auth_submethod = "skey";
return (authok != 0);
}
Also, we discovered that the problem doesn't happen if
UsePrivilegeSeparation is off.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-20 01:47 UTC
[Bug 2502] using AuthenticationMethods to require s/key and pam doesn't work
https://bugzilla.mindrot.org/show_bug.cgi?id=2502
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2451
Status|NEW |RESOLVED
Resolution|--- |FIXED
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Patch applied:
https://anongit.mindrot.org/openssh.git/commit/?id=ac9473580dcd401f8281305af98635cdaae9bf96
This will be in OpenSSH 7.2 - thanks!
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2451
[Bug 2451] Bugs intended to be fixed in 7.2
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Nov-20 18:45 UTC
[Bug 2502] using AuthenticationMethods to require s/key and pam doesn't work
https://bugzilla.mindrot.org/show_bug.cgi?id=2502 --- Comment #3 from Kevin Korb <kmk at sanitarium.net> --- Excellent. Thank you. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:41 UTC
[Bug 2502] using AuthenticationMethods to require s/key and pam doesn't work
https://bugzilla.mindrot.org/show_bug.cgi?id=2502
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Maybe Matching Threads
- [Bug 2270] New: AuthenticationMethods - partial success is considered as failure
- openssh (OpenBSD) , bsdauth and tis authsrv
- [Bug 2398] New: AuthenticationMethods doesn't have default value (inconsistency) and it accept empty value
- AuthenticationMethods option.
- [Bug 2663] New: [man] sshd_config(5) AuthenticationMethods segment clarification, proposal and questions