Mailing List Archive

On 26/01/2021 19:04, Avila, Geoffrey wrote:
> We have an ssh login host we've protected with Duo's 2FA pam module. We're
> allowing both password auth and ssh-keys. Problem is, those users with a
> valid ssh key are instantly allowed to log in-the pam stack for the duo .so
> module never gets called, and the users are never prompted for 2FA.
> Is there a way to compel the execution of PAM modules before OpenSSH
> completes the login process for the user?

I use the following (with Yubikey PAM module for 2FA):

# Policy for authentication: require both pubkey *and* PAM
AuthenticationMethods publickey,keyboard-interactive:pam

# From local and VPN addresses, 2FA not required
Match Address 192.168.0.0/16,10.0.0.0/8
AuthenticationMethods publickey

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Tue, Jan 26, 2021 at 2:52 PM Brian Candler <b.candler@pobox.com> wrote:
>
> On 26/01/2021 19:04, Avila, Geoffrey wrote:
> > We have an ssh login host we've protected with Duo's 2FA pam module. We're
> > allowing both password auth and ssh-keys. Problem is, those users with a
> > valid ssh key are instantly allowed to log in-the pam stack for the duo .so
> > module never gets called, and the users are never prompted for 2FA.
> > Is there a way to compel the execution of PAM modules before OpenSSH
> > completes the login process for the user?
>
> I use the following (with Yubikey PAM module for 2FA):
>
> # Policy for authentication: require both pubkey *and* PAM
> AuthenticationMethods publickey,keyboard-interactive:pam
>
I've always thought the comma meant "if this does not work, try this next"

> # From local and VPN addresses, 2FA not required
> Match Address 192.168.0.0/16,10.0.0.0/8
> AuthenticationMethods publickey
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 26/01/2021 20:17, Mauricio Tavares wrote:
> I've always thought the comma meant "if this does not work, try this next"

Nope. From sshd_config(5):

     AuthenticationMethods
             Specifies the authentication methods that must be
successfully completed for a user to be
             granted access.  This option must be followed by one or
more comma-separated lists of authen?
             tication method names, or by the single string any to
indicate the default behaviour of
             accepting any single authentication method.  If the
default is overridden, then *successful**
**             authentication requires completion of every method in at
least one of these lists*.

             For example, "publickey,password
publickey,keyboard-interactive" would require the user to
             complete public key authentication, followed by either
password or keyboard interactive
             authentication.  Only methods that are next in one or more
lists are offered at each stage,
             so for this example it would not be possible to attempt
password or keyboard-interactive
             authentication before public key.

             For keyboard interactive authentication it is also
possible to restrict authentication to a
             specific device by appending a colon followed by the
device identifier bsdauth, pam, or skey,
             depending on the server configuration.  For example,
"keyboard-interactive:bsdauth" would
             restrict keyboard interactive authentication to the
bsdauth device.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Hi Brian,

Thanks... setting "AuthenticationMethods
publickey,keyboard-interactive:pam" works, in that even with a valid public
key I get prompted for a password and 2FA.
I understand from the reading of the manpage that there is no
"publickey:pam" string that would allow for just a 2FA prompt if a valid
public key was presented?
I'm a little unclear as to why "password' and "keyboard-interactive" are
seen as two distinct authentication methods...

Thanks again!

On Tue, Jan 26, 2021 at 3:37 PM Brian Candler <b.candler@pobox.com> wrote:

> On 26/01/2021 20:17, Mauricio Tavares wrote:
> > I've always thought the comma meant "if this does not work, try
> this next"
>
> Nope. From sshd_config(5):
>
> AuthenticationMethods
> Specifies the authentication methods that must be
> successfully completed for a user to be
> granted access. This option must be followed by one or
> more comma-separated lists of authen?
> tication method names, or by the single string any to
> indicate the default behaviour of
> accepting any single authentication method. If the
> default is overridden, then *successful**
> ** authentication requires completion of every method in at
> least one of these lists*.
>
> For example, "publickey,password
> publickey,keyboard-interactive" would require the user to
> complete public key authentication, followed by either
> password or keyboard interactive
> authentication. Only methods that are next in one or more
> lists are offered at each stage,
> so for this example it would not be possible to attempt
> password or keyboard-interactive
> authentication before public key.
>
> For keyboard interactive authentication it is also
> possible to restrict authentication to a
> specific device by appending a colon followed by the
> device identifier bsdauth, pam, or skey,
> depending on the server configuration. For example,
> "keyboard-interactive:bsdauth" would
> restrict keyboard interactive authentication to the
> bsdauth device.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 29/01/2021 20:40, Avila, Geoffrey wrote:
> I understand from the reading of the manpage that there is no
> "publickey:pam" string that would allow for just a 2FA prompt if a valid
> public key was presented?

I'm sorry, but I don't understand what you're asking.  The config you
have asks for a public key auth first, and then asks for a PAM auth, and
lets the user in if both succeed.  What do you want to happen instead?

> I'm a little unclear as to why "password' and "keyboard-interactive" are
> seen as two distinct authentication methods...

Because they are two different authentication mechanisms in the SSH
protocol itself (RFC 4252, RFC 4256).

As I understand it, password is just a password, whereas
keyboard-interactive allows for prompt-response-prompt-response-... (so
for example, can be used for challenge-response tokens).  The PAM API
also works works in a prompt-response manner, via the conversation
function
<http://www.linux-pam.org/Linux-PAM-html/mwg-expected-by-module-item.html#mwg-pam_conv>.

Regards,

Brian.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev