https://bugzilla.mindrot.org/show_bug.cgi?id=3303
Bug ID: 3303
Summary: Request Match block accommodation for 2FA sshd_config
Product: Portable OpenSSH
Version: 8.6p1
Hardware: Other
OS: Windows 10
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: alwanza@yahoo.com
Explanation of how the bug works:
Users can ssh into the SSH SERVER using the following methods:
1. password and 2FA (this is as designed)
2. ssh-key with passphrase and 2FA (this is as designed)
3. password and enter and password (entering the same password
twice) (this is a bug)
4. ssh-key with passphrase and enter and password (this is a bug)
Per ssh error message:
Directive 'ChallengeResponseAuthentication' is not allowed within a
Match Block
In order to permit users to authenticate with EITHER a long password
OR an ssh-key that is protected with a passphrase,
we introduced “Match” blocks in our sshd_config file.
The “Match” blocks permit SOME users to use a password AND other users
to use an ssh-key protected with a passphrase.
The allowable authentication methods in a Match block include:
password, publickey, and keyboard-interactive
The problem is that “keyboard-interactive” is NOT restricted to meaning
“2FA” and there is no way to restrict it to mean “2FA”.
“keyboard-interactive” CAN also mean “password”. So if the user just
enters an empty Verification Code, the user is presented with a
password prompt.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3303
Summary: Request Match block accommodation for 2FA sshd_config
Product: Portable OpenSSH
Version: 8.6p1
Hardware: Other
OS: Windows 10
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: alwanza@yahoo.com
Explanation of how the bug works:
Users can ssh into the SSH SERVER using the following methods:
1. password and 2FA (this is as designed)
2. ssh-key with passphrase and 2FA (this is as designed)
3. password and enter and password (entering the same password
twice) (this is a bug)
4. ssh-key with passphrase and enter and password (this is a bug)
Per ssh error message:
Directive 'ChallengeResponseAuthentication' is not allowed within a
Match Block
In order to permit users to authenticate with EITHER a long password
OR an ssh-key that is protected with a passphrase,
we introduced “Match” blocks in our sshd_config file.
The “Match” blocks permit SOME users to use a password AND other users
to use an ssh-key protected with a passphrase.
The allowable authentication methods in a Match block include:
password, publickey, and keyboard-interactive
The problem is that “keyboard-interactive” is NOT restricted to meaning
“2FA” and there is no way to restrict it to mean “2FA”.
“keyboard-interactive” CAN also mean “password”. So if the user just
enters an empty Verification Code, the user is presented with a
password prompt.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs