search for: authenticationmethod

https://bugzilla.mindrot.org/show_bug.cgi?id=2663 Bug ID: 2663 Summary: [man] sshd_config(5) AuthenticationMethods segment clarification, proposal and questions Product: Portable OpenSSH Version: 7.2p2 Hardware: Other OS: Linux Status: NEW Keywords: low-hanging-fruit Severity: enhancement Priority: P5...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, I just came across a contradiction between the man page of AuthenticationMethods and the accepted methods list. According to the sshd_config manual page: """ AuthenticationMethods Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authent...

https://bugzilla.mindrot.org/show_bug.cgi?id=3657 Bug ID: 3657 Summary: AuthenticationMethods any apparently not possible after previous non-any assignment Product: Portable OpenSSH Version: 8.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ss...

https://bugzilla.mindrot.org/show_bug.cgi?id=2398 Bug ID: 2398 Summary: AuthenticationMethods doesn't have default value (inconsistency) and it accept empty value Product: Portable OpenSSH Version: 6.8p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Co...

https://bugzilla.mindrot.org/show_bug.cgi?id=2270 Bug ID: 2270 Summary: AuthenticationMethods - partial success is considered as failure Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: u...

https://bugzilla.mindrot.org/show_bug.cgi?id=2502 Bug ID: 2502 Summary: using AuthenticationMethods to require s/key and pam doesn't work Product: Portable OpenSSH Version: 7.1p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: un...

I'm writing a PAM module to do authentication through Signal (as in Open Whisper Systems) [1]. I would like to be able to offer (Public key AND Signal) or (Password AND Signal) for authentication. This suggests setting AuthenticationMethods to publickey,keyboard-interactive:pam password,keyboard-interactive:pam However, when PAM is enabled "password" means "show password prompt, then do PAM", which is a problem because my PAM does Signal auth, not password auth, and the above results in all login attempts failin...

https://bugzilla.mindrot.org/show_bug.cgi?id=2453 Bug ID: 2453 Summary: Document authentication method "none" for AuthenticationMethods Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Reporter:...

...the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)? The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with `AuthenticationMethods: publickey,publickey` option set, so that sshd requires that a user produces both the normal key and a signed key. This works, but means a user can't then have multiple keys (e.g. one per device), and feels somewhat brittle in that adding a key to that file breaks the requirement that the user...

Hi. I can see that SSH partial success functionality was implemented very recently in the OpenSSH server. That's great news. I just tried it and I don't seem to be able to make it work with both public key authentication and password authentication through PAM. I wonder if this is a bug or something that won't be implemented for now or if this is still WIP and I should be more

I don't see a way to do this currently (unless I am missing something) but I would like to be able to specify, that in order for a user to login, they need to use at least 1 public key from 2 separate key sources.? Specifically this would be when using "AuthenticationMethods publickey,publickey".? Right now requiring 2 public keys for authentication will allow 2 public keys from any authorized key source specified without distinction.? I would like a way to say, require 1 key from source A and 1 key from source B. Like if there was a way to specify something...

...yes >> + KbdInteractiveAuthentication yes >> ... >> >> and restart the daemon > > You've missed the crucial part to require multiple authentication > methods succeed before the user is considered authenticated: > > AuthenticationMethods publickey,keyboard-interactive > Ahh... I wasn't even aware of that option. Robert Pendell shinji at elite-systems.org A perfect world is one of chaos.

...|djm at mindrot.org --- Comment #58 from Damien Miller <djm at mindrot.org> --- Created attachment 2192 --> https://bugzilla.mindrot.org/attachment.cgi?id=2192&action=edit new multiple required authentication methods patch Here's a patch I'm working on. It adds an AuthenticationMethods option that lists the possible paths to successful authentication. E.g. AuthenticationMethods publickey,password gssapi-with-mic,password publickey,keyboard-interactive When attempting to authenticate, only methods that are at the start of one of the paths listed will be offered. Each successful...

Hello All, The attached patch allows openssh to specify which pam service name to authenticate users against by specifying the PAMServiceName attribute in the sshd_config file. Because the parameter can be included in the Match directive sections, it allows different authentication based on the Match directive. In our case, we use it to allow different levels of authentication based on the

...f key format. The new u2f authentication mechanism can operate in two modes, specified by the client with the U2FMode option: registration (necessary once per U2F security key) or authentication (the default). Since U2F is a two-factor authentication mechanism, you should never use it as the sole AuthenticationMethod. Therefore, whenever you enable U2FAuthentication, please also set AuthenticationMethods on the server. As an example, add the following to your sshd_config: U2FAuthentication yes AuthenticationMethods publickey,u2f (This assumes that you always enter your passphrase for the pubkey, otherwis...

On Tue, 2020-07-21 at 14:47 +1000, Damien Miller wrote: > On Mon, 20 Jul 2020, Jordan J wrote: [...] > > Firstly, would the following or some combination thereof be > > possible or is there an obvious impediment. Secondly, if it proved > > possible are the maintainers open to a patch providing it? > > > > 1. Update the SSH ecdsa-sk public key type to contain the

...we got some report about sshd_config documentation and behaviour in corner cases. One of the problems found during the analysis was that when using Match blocks, we are unable to match negated addresses. In this example, the block is *never* matched: [root at r6 ~]# tail -n 3 /etc/ssh/sshd_config AuthenticationMethods password Match Address !1.2.3.4 AuthenticationMethods publickey,password [root at r6 build]# sshd -TC user=none,host=myhost,addr=1.2.3.4 | grep authenticationmethods authenticationmethods password [root at r6 build]# sshd -TC user=none,host=myhost,addr=1.2.3.5 | grep authenticationmethods aut...

Hi, first of: my familiarity with OpenSSH/Pam code-base is very limited.. Please excuse me if some of this does not make any sense or seems stupid! I'm investigating if it is possible for a PAM module to find out which public key was accepted (when 'AuthenticationMethods publickey,keyboard-interactive' is used). From my digging in the source, it seems it is currently not. Would it be possible to provide this information? Maybe using do_pam_putenv()? Would there be any security implications of doing this? The reason I'm asking is that I'm looking i...

...idea was to use SSH keys but to also require the server's PAM login for these "semi-trusted" keys. But of course, >> I want to trust the keys on my own laptop and desktop without an additional PAM password. Therefore, I cannot simply use >> something like >> >> AuthenticationMethods publickey,password > > Since the main difference here is how much you trust the originating host, > you might want to consider setting up host-based authentication for those > hosts and using a config like: > > AuthenticationMethods publickey,password publickey,hostbased >...

...yes PubkeyAuthentication yes + PubkeyAuthentication no PasswordAuthentication no ... EnableSSHKeysign yes (note: this had already been 'in there' --- just further down in the config) ... server sshd_config ... - AuthenticationMethods hostbased,publickey + AuthenticationMethods hostbased HostbasedAuthentication yes - HostbasedUsesNameFromPacketOnly yes + #HostbasedUsesNameFromPacketOnly yes - PubkeyAuthentication yes + PubkeyAuthentication no Passwo...