Hi,
I'd like to allow PAM authentication only from the local network, and
from the Internet only allow public key authentication.
A similar-enough problem has been discussed on this list previously:
http://www.gossamer-threads.com/lists/openssh/dev/47179?search_string=match%20challengeresponseauthentication;#47179
More specifically, I would like to allow PAM authentication from the
Internet only for users which I know use OPIE (that's because
pam_opieaccess isn't flexible enough for this).
That would be something like this:
ChallengeResponseAuthentication no
Match Address 10.0.0.0/8
ChallengeResponseAuthentication yes
Match User miguel
ChallengeResponseAuthentication yes
However, ChallengeResponseAuthentication can't be used within Match, as
was previously pointed out.
Now, about the solutions in the other thread:
- Damien Miller suggested patching sshd. That would be ok for me, but
only if that's what makes the most sens: that is, my policy is too
specific and useless or unadvisable to others.
- Damien Miller also suggested turning off KbdInteractiveAuthentication
inside match, and,
- Darren Tucker suggested turning it off outside and on inside,
But, I tried these options:
a)
ChallengeResponseAuthentication yes
#KbdInteractiveAuthentication yes
Match Address !10.0.0.0/8
KbdInteractiveAuthentication no
- keyboard interactive auth from the Internet isn't prevented.
b)
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
Match Address 10.0.0.0/8
KbdInteractiveAuthentication yes
Match User miguel
KbdInteractiveAuthentication yes
- from the Internet, the desired effect is obtained, when trying ssh -o
PubkeyAuthentication=no user at example.com, I get:
Permission denied (publickey)
- from the local net, when trying ssh -o PubkeyAuthentication=no
user at example.com, I get:
Permission denied (publickey,keyboard-interactive)
That's funny, keyboard-interactive is allowed, but I'm not asked for a
password, obviously that must be because ChallengeResponseAuthentication
is no, globally.
c)
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication no
Match Address 10.0.0.0/8
KbdInteractiveAuthentication yes
Match User miguel
KbdInteractiveAuthentication yes
- keyboard interactive auth from the Internet isn't prevented.
So, I guess I'm left with patching sshd??
In everything else my sshd_config is set to defaults. Also, I'm on
FreeBSD (8.2-PRERELEASE #2 with OpenSSH_5.4p1).
Thanks for any pointers (including telling me that I shouldn't have that
policy).
--
Miguel Ramos <mbox at miguel.ramos.name>
PGP A006A14C