Alexander Afonyashin
2015-Dec-11 08:13 UTC
Support for ChallengeResponseAuthentication in Match section
Hi, I'm using 2-factor authentication (pubkey+googe_authenticator) and have an issue with rsync. It's configured to use pubkey to authenticate to server so when google_authentication is bypassed by not creating .google_authenticator file for particular user (thanks to nullok option in PAM) it still sends to stderr "Authenticated with partial success." message although it succeeded. So idea is simple: disable 2-factor authentication for particular user/network. Regards, Alexander
Nico Kadel-Garcia
2015-Dec-12 04:37 UTC
Support for ChallengeResponseAuthentication in Match section
On Fri, Dec 11, 2015 at 3:13 AM, Alexander Afonyashin <a.afonyashin at madnet-team.ru> wrote:> Hi, > > I'm using 2-factor authentication (pubkey+googe_authenticator) and > have an issue with rsync. It's configured to use pubkey to > authenticate to server so when google_authentication is bypassed by > not creating .google_authenticator file for particular user (thanks to > nullok option in PAM) it still sends to stderr "Authenticated with > partial success." message although it succeeded. > > So idea is simple: disable 2-factor authentication for particular user/network. > > Regards, > AlexanderPut that access on a different port, with a different SSH daemon, is the fastest solution.
Alexander Afonyashin
2015-Dec-14 06:34 UTC
Support for ChallengeResponseAuthentication in Match section
Hi Nico, Thanks for the idea. Regards, Alexander On Sat, Dec 12, 2015 at 7:37 AM, Nico Kadel-Garcia <nkadel at gmail.com> wrote:> On Fri, Dec 11, 2015 at 3:13 AM, Alexander Afonyashin > <a.afonyashin at madnet-team.ru> wrote: >> Hi, >> >> I'm using 2-factor authentication (pubkey+googe_authenticator) and >> have an issue with rsync. It's configured to use pubkey to >> authenticate to server so when google_authentication is bypassed by >> not creating .google_authenticator file for particular user (thanks to >> nullok option in PAM) it still sends to stderr "Authenticated with >> partial success." message although it succeeded. >> >> So idea is simple: disable 2-factor authentication for particular user/network. >> >> Regards, >> Alexander > > Put that access on a different port, with a different SSH daemon, is > the fastest solution.
Iain Morgan
2015-Dec-14 19:44 UTC
Support for ChallengeResponseAuthentication in Match section
On Fri, Dec 11, 2015 at 11:13:59 +0300, Alexander Afonyashin wrote:> Hi, > > I'm using 2-factor authentication (pubkey+googe_authenticator) and > have an issue with rsync. It's configured to use pubkey to > authenticate to server so when google_authentication is bypassed by > not creating .google_authenticator file for particular user (thanks to > nullok option in PAM) it still sends to stderr "Authenticated with > partial success." message although it succeeded. > > So idea is simple: disable 2-factor authentication for particular user/network. >Try KbdInteractiveAuthentication (which is supported in Match blocks) instead of ChallengeResponseAuthentication. -- Iain Morgan
Alexander Afonyashin
2015-Dec-15 13:41 UTC
Support for ChallengeResponseAuthentication in Match section
Hi Iain, Unfortunately it leads to "no authentication methods enabled" when is used. ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive Match User backup KbdInteractiveAuthentication no Ssh-ing to this config under user root: debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: key at work debug1: Server accepts key: pkalg ssh-rsa blen 277 Authenticated with partial success. debug1: Authentications that can continue: keyboard-interactive debug1: Next authentication method: keyboard-interactive Verification code: Ssh-ing to this config under user backup: debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received Received disconnect from X.X.X.X: 2: no authentication methods enabled Regards, Alexander On Mon, Dec 14, 2015 at 10:44 PM, Iain Morgan <imorgan at nas.nasa.gov> wrote:> On Fri, Dec 11, 2015 at 11:13:59 +0300, Alexander Afonyashin wrote: >> Hi, >> >> I'm using 2-factor authentication (pubkey+googe_authenticator) and >> have an issue with rsync. It's configured to use pubkey to >> authenticate to server so when google_authentication is bypassed by >> not creating .google_authenticator file for particular user (thanks to >> nullok option in PAM) it still sends to stderr "Authenticated with >> partial success." message although it succeeded. >> >> So idea is simple: disable 2-factor authentication for particular user/network. >> > > Try KbdInteractiveAuthentication (which is supported in Match blocks) > instead of ChallengeResponseAuthentication. > > -- > Iain Morgan
Possibly Parallel Threads
- Match vs. ChallengeResponseAuthentication?
- ChallengeResponseAuthentication defaults to no?
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
- Match and ChallengeResponseAuthentication
- chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/