Displaying 20 results from an estimated 10000 matches similar to: "Requiring certificate signature and an authorized key to authenticate"
2020 Jun 03
7
Auth via Multiple Publickeys, Using Multiple Sources, One Key per Source
I don't see a way to do this currently (unless I am missing something)
but I would like to be able to specify, that in order for a user to
login, they need to use at least 1 public key from 2 separate key
sources.? Specifically this would be when using "AuthenticationMethods
publickey,publickey".? Right now requiring 2 public keys for
authentication will allow 2 public keys from
2016 Jul 22
3
Multifactor authentication troubles
I'm writing a PAM module to do authentication through Signal (as in Open
Whisper Systems) [1]. I would like to be able to offer
(Public key AND Signal) or (Password AND Signal)
for authentication. This suggests setting AuthenticationMethods to
publickey,keyboard-interactive:pam password,keyboard-interactive:pam
However, when PAM is enabled "password" means "show password
2014 Dec 18
3
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
On Thu, Dec 18, 2014 at 2:01 AM, Damien Miller <...> wrote:
> On Wed, 17 Dec 2014, Dmt Ops wrote:
>
>> vi /etc/ssh/sshd_config
>> ...
>> - ChallengeResponseAuthentication no
>> + ChallengeResponseAuthentication yes
>> + KbdInteractiveAuthentication yes
>>
2014 Dec 18
4
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
I have sshd server
sshd -V
...
OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
...
running on linux/64
with
cat sshd_config
...
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
2024 Nov 15
1
MFA and PubKeys
Hello all,
I'm trying to get a properly working MFA solution working with our ssh servers. I have it working wonderfully well with duo until ssh keys are added to the mix.
As I understand it, using keys results in the PAM stack not getting called and thus something like pam_duo never get's a chance to work in that scenario.
I'm aware that I can use something like "ForceCommand
2015 Dec 11
4
Support for ChallengeResponseAuthentication in Match section
Hi,
I'm using 2-factor authentication (pubkey+googe_authenticator) and
have an issue with rsync. It's configured to use pubkey to
authenticate to server so when google_authentication is bypassed by
not creating .google_authenticator file for particular user (thanks to
nullok option in PAM) it still sends to stderr "Authenticated with
partial success." message although it
2015 Jan 09
5
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
I run OpenSSH on linux
@ client
which ssh
/usr/local/bin/ssh
ssh -v
OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
@ server
which sshd
/usr/local/bin/sshd
sshd -v
unknown option -- V
OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
2015 Jan 09
5
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
Hi,
On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote:
> My ssh_config has
> Host *
> HostbasedAuthentication yes
> EnableSSHKeysign yes
> NoHostAuthenticationForLocalhost yes
>
> NoHostAuthenticationForLocalhost is not necessary.
> The one you are missing is EnableSSHKeysign.
>
> Additionally, you made no mention of your ssh_known_hosts files. Make
> sure
2016 Feb 18
2
Let PAM know about accepted pubkey?
Hi,
first of: my familiarity with OpenSSH/Pam code-base is very limited..
Please excuse me if some of this does not make any sense or seems stupid!
I'm investigating if it is possible for a PAM module to find out which
public key was accepted (when 'AuthenticationMethods
publickey,keyboard-interactive' is used). From my digging in the source,
it seems it is currently not.
Would
2004 Jul 08
2
How to use publickey from x509 certificate?
Hello,
I have the following problem: I want to use publickey authentication by
using the publickey of a x509 certificate stored on a java card. I can
already extract the publickey of the certificate and write it into a
file. The problem i have is that i don't know how to convert the
certificate's publickey into an rsa publickey format that openssh will
accept.
Does anybody have a
2014 Dec 24
2
[PATCH] U2F support in OpenSSH
Hey,
Judging from the (private) responses I?ve got, there is quite a bit of
interest in the U2F feature I proposed a while ago. Therefore, I?ve taken
some time to resolve the remaining issues, and I think the resulting patch
(attached to this email) is in quite a good state now.
I also posted the new version of the patch to
https://bugzilla.mindrot.org/show_bug.cgi?id=2319 (which I?ve opened
2014 Dec 19
2
chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/
I added an EXPLICIT
AuthenticationMethods publickey,keyboard-interactive
+ UsePam yes
to sshd_config. Now, at connect attempt I get
Password:
Verification code:
Password:
Verification code:
Password:
...
I.e.,
It's asking for Password, not accepting pubkey
AND
when given the password (which is correct), and the GA VerificationCode, it
simply repeats the credentials request.
2013 May 13
3
[PATCH] Specify PAM Service name in sshd_config
Hello All,
The attached patch allows openssh to specify which pam service name to
authenticate users against by specifying the PAMServiceName attribute in
the sshd_config file. Because the parameter can be included in the Match
directive sections, it allows different authentication based on the Match
directive. In our case, we use it to allow different levels of
authentication based on the
2012 Nov 01
5
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|pgsery at swcp.com |djm at mindrot.org
--- Comment #58 from Damien Miller
2020 Oct 23
3
"Semi-Trusted" SSH-Keys that also require PAM login
Hello Damien, Brian and all,
thanks for the suggestions. I actually had not considered host-based
authentication and looked it up.
As I understand from my first quick reading, I would need to specify the
clients which are allowed to use host-based auth on the server with a
DNS name or an IP, which would not work for a client behind a CG NAT or
in a cellular network.
Or did I get this wrong?
2020 Jul 26
2
Automatic FIDO2 key negotiation (request for comments)
On Tue, 2020-07-21 at 14:47 +1000, Damien Miller wrote:
> On Mon, 20 Jul 2020, Jordan J wrote:
[...]
> > Firstly, would the following or some combination thereof be
> > possible or is there an obvious impediment. Secondly, if it proved
> > possible are the maintainers open to a patch providing it?
> >
> > 1. Update the SSH ecdsa-sk public key type to contain the
2020 Oct 21
6
"Semi-Trusted" SSH-Keys that also require PAM login
Hello all,
in order to connect to my SSH servers from untrusted devices like company computers or my smartphone, I set up 2FA with
google-authenticator hooked into PAM.
However, this is not really 2FA at least for the smartphone, since I use the same device for generating the TANs and it
is also at least inconvenient to always require a new TAN for each connection. I do not want to solely rely
2014 Dec 01
4
[Bug 2322] New: please let the server enable/disable delayed compression on a per user basis
https://bugzilla.mindrot.org/show_bug.cgi?id=2322
Bug ID: 2322
Summary: please let the server enable/disable delayed
compression on a per user basis
Product: Portable OpenSSH
Version: 3.7p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
2016 Jul 04
2
SSH multi factor authentication
On Sun, 3 Jul 2016, Stephen Harris wrote:
> On Sun, Jul 03, 2016 at 09:19:43PM -0500, Bruce F Bading wrote:
> > One, the Google Authenticator (OTP authentication).
>
> On its own, this is not 2FA. It's single factor ("something you
> have").
>
> A combination of Google Authenticator _and_ password is 2FA. This is
> easy to do with PAM.
Agreed
>
2016 Mar 10
10
[Bug 2550] New: ssh can't use an in-memory-only certificate
https://bugzilla.mindrot.org/show_bug.cgi?id=2550
Bug ID: 2550
Summary: ssh can't use an in-memory-only certificate
Product: Portable OpenSSH
Version: 7.2p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at