search for: authenticationmethod

Displaying 20 results from an estimated 73 matches for "authenticationmethod".

Did you mean: authenticationmethods
2017 Jan 09
1
[Bug 2663] New: [man] sshd_config(5) AuthenticationMethods segment clarification, proposal and questions
https://bugzilla.mindrot.org/show_bug.cgi?id=2663 Bug ID: 2663 Summary: [man] sshd_config(5) AuthenticationMethods segment clarification, proposal and questions Product: Portable OpenSSH Version: 7.2p2 Hardware: Other OS: Linux Status: NEW Keywords: low-hanging-fruit Severity: enhancement Priority: P5...
2014 Jun 19
1
AuthenticationMethods in sshd_config accepting empty method list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, I just came across a contradiction between the man page of AuthenticationMethods and the accepted methods list. According to the sshd_config manual page: """ AuthenticationMethods Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authent...
2015 May 13
11
[Bug 2398] New: AuthenticationMethods doesn't have default value (inconsistency) and it accept empty value
https://bugzilla.mindrot.org/show_bug.cgi?id=2398 Bug ID: 2398 Summary: AuthenticationMethods doesn't have default value (inconsistency) and it accept empty value Product: Portable OpenSSH Version: 6.8p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Co...
2014 Sep 04
3
[Bug 2270] New: AuthenticationMethods - partial success is considered as failure
https://bugzilla.mindrot.org/show_bug.cgi?id=2270 Bug ID: 2270 Summary: AuthenticationMethods - partial success is considered as failure Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: u...
2015 Nov 19
4
[Bug 2502] New: using AuthenticationMethods to require s/key and pam doesn't work
https://bugzilla.mindrot.org/show_bug.cgi?id=2502 Bug ID: 2502 Summary: using AuthenticationMethods to require s/key and pam doesn't work Product: Portable OpenSSH Version: 7.1p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee...
2016 Jul 22
3
Multifactor authentication troubles
I'm writing a PAM module to do authentication through Signal (as in Open Whisper Systems) [1]. I would like to be able to offer (Public key AND Signal) or (Password AND Signal) for authentication. This suggests setting AuthenticationMethods to publickey,keyboard-interactive:pam password,keyboard-interactive:pam However, when PAM is enabled "password" means "show password prompt, then do PAM", which is a problem because my PAM does Signal auth, not password auth, and the above results in all login attempts failin...
2015 Aug 25
17
[Bug 2453] New: Document authentication method "none" for AuthenticationMethods
https://bugzilla.mindrot.org/show_bug.cgi?id=2453 Bug ID: 2453 Summary: Document authentication method "none" for AuthenticationMethods Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Reporter:...
2019 Jun 25
4
Requiring certificate signature and an authorized key to authenticate
...the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)? The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with `AuthenticationMethods: publickey,publickey` option set, so that sshd requires that a user produces both the normal key and a signed key. This works, but means a user can't then have multiple keys (e.g. one per device), and feels somewhat brittle in that adding a key to that file breaks the requirement that the user...
2012 Nov 22
1
AuthenticationMethods option.
Hi. I can see that SSH partial success functionality was implemented very recently in the OpenSSH server. That's great news. I just tried it and I don't seem to be able to make it work with both public key authentication and password authentication through PAM. I wonder if this is a bug or something that won't be implemented for now or if this is still WIP and I should be more
2020 Jun 03
7
Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source
I don't see a way to do this currently (unless I am missing something) but I would like to be able to specify, that in order for a user to login, they need to use at least 1 public key from 2 separate key sources.? Specifically this would be when using "AuthenticationMethods publickey,publickey".? Right now requiring 2 public keys for authentication will allow 2 public keys from any authorized key source specified without distinction.? I would like a way to say, require 1 key from source A and 1 key from source B. Like if there was a way to specify something...
2014 Dec 18
3
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
...yes >> + KbdInteractiveAuthentication yes >> ... >> >> and restart the daemon > > You've missed the crucial part to require multiple authentication > methods succeed before the user is considered authenticated: > > AuthenticationMethods publickey,keyboard-interactive > Ahh... I wasn't even aware of that option. Robert Pendell shinji at elite-systems.org A perfect world is one of chaos.
2012 Nov 01
5
[Bug 983] Required authentication
...jm at mindrot.org --- Comment #58 from Damien Miller <djm at mindrot.org> --- Created attachment 2192 --> https://bugzilla.mindrot.org/attachment.cgi?id=2192&action=edit new multiple required authentication methods patch Here's a patch I'm working on. It adds an AuthenticationMethods option that lists the possible paths to successful authentication. E.g. AuthenticationMethods publickey,password gssapi-with-mic,password publickey,keyboard-interactive When attempting to authenticate, only methods that are at the start of one of the paths listed will be offered. Each successful...
2013 May 13
3
[PATCH] Specify PAM Service name in sshd_config
Hello All, The attached patch allows openssh to specify which pam service name to authenticate users against by specifying the PAMServiceName attribute in the sshd_config file. Because the parameter can be included in the Match directive sections, it allows different authentication based on the Match directive. In our case, we use it to allow different levels of authentication based on the
2014 Dec 24
2
[PATCH] U2F support in OpenSSH
...f key format. The new u2f authentication mechanism can operate in two modes, specified by the client with the U2FMode option: registration (necessary once per U2F security key) or authentication (the default). Since U2F is a two-factor authentication mechanism, you should never use it as the sole AuthenticationMethod. Therefore, whenever you enable U2FAuthentication, please also set AuthenticationMethods on the server. As an example, add the following to your sshd_config: U2FAuthentication yes AuthenticationMethods publickey,u2f (This assumes that you always enter your passphrase for the pubkey, otherwis...
2020 Jul 26
2
Automatic FIDO2 key negotiation (request for comments)
On Tue, 2020-07-21 at 14:47 +1000, Damien Miller wrote: > On Mon, 20 Jul 2020, Jordan J wrote: [...] > > Firstly, would the following or some combination thereof be > > possible or is there an obvious impediment. Secondly, if it proved > > possible are the maintainers open to a patch providing it? > > > > 1. Update the SSH ecdsa-sk public key type to contain the
2015 May 12
22
[Bug 2397] New: Match block doesn't match negated addresses
...report about sshd_config documentation and behaviour in corner cases. One of the problems found during the analysis was that when using Match blocks, we are unable to match negated addresses. In this example, the block is *never* matched: [root at r6 ~]# tail -n 3 /etc/ssh/sshd_config AuthenticationMethods password Match Address !1.2.3.4 AuthenticationMethods publickey,password [root at r6 build]# sshd -TC user=none,host=myhost,addr=1.2.3.4 | grep authenticationmethods authenticationmethods password [root at r6 build]# sshd -TC user=none,host=myhost,addr=1.2.3.5 | grep authenticationmethods aut...
2016 Feb 18
2
Let PAM know about accepted pubkey?
Hi, first of: my familiarity with OpenSSH/Pam code-base is very limited.. Please excuse me if some of this does not make any sense or seems stupid! I'm investigating if it is possible for a PAM module to find out which public key was accepted (when 'AuthenticationMethods publickey,keyboard-interactive' is used). From my digging in the source, it seems it is currently not. Would it be possible to provide this information? Maybe using do_pam_putenv()? Would there be any security implications of doing this? The reason I'm asking is that I'm looking i...
2020 Oct 23
3
"Semi-Trusted" SSH-Keys that also require PAM login
...idea was to use SSH keys but to also require the server's PAM login for these "semi-trusted" keys. But of course, >> I want to trust the keys on my own laptop and desktop without an additional PAM password. Therefore, I cannot simply use >> something like >> >> AuthenticationMethods publickey,password > > Since the main difference here is how much you trust the originating host, > you might want to consider setting up host-based authentication for those > hosts and using a config like: > > AuthenticationMethods publickey,password publickey,hostbased >...
2015 Jan 09
5
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
...yes PubkeyAuthentication yes + PubkeyAuthentication no PasswordAuthentication no ... EnableSSHKeysign yes (note: this had already been 'in there' --- just further down in the config) ... server sshd_config ... - AuthenticationMethods hostbased,publickey + AuthenticationMethods hostbased HostbasedAuthentication yes - HostbasedUsesNameFromPacketOnly yes + #HostbasedUsesNameFromPacketOnly yes - PubkeyAuthentication yes + PubkeyAuthentication no Passwo...
2020 Oct 21
6
"Semi-Trusted" SSH-Keys that also require PAM login
...do not really trust them. So, my idea was to use SSH keys but to also require the server's PAM login for these "semi-trusted" keys. But of course, I want to trust the keys on my own laptop and desktop without an additional PAM password. Therefore, I cannot simply use something like AuthenticationMethods publickey,password I want to be able to specify this per key. Right now, I do a work-around by specifying command="/usr/bin/sudo /bin/login myusername" for the "semi-trusted" keys in the login users' authorized_keys, but this has issues when using scp...