Mailing List Archive

On Tue, 20 Jul 2021, Jürgen Botz wrote:

> 1) The password prompt was different; when I used
> PreferredAuthentications it looked like "user@host password:", but
> when I didn't use that option it just says "Password:" (note the capital
> "P").

> about the semantics of 'PreferredAuthentications=password'?

Maybe you need PreferredAuthentications=keyboard-interactive instead?
(Though, I only know the “user@host password:” message.)

Worth a try,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

*************************************************

Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter

*************************************************
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Hi,

By setting PreferredAuthentications to just "password," you are disabling *all* other methods, such as KbdInteractive. Whereas, by setting Pubkeyauthentication=no, you are just disabling public-key authentication.

--
Iain

?On 7/20/21, 14:14, "openssh-unix-dev on behalf of Jürgen Botz" <openssh-unix-dev-bounces+iain.morgan=nasa.gov@mindrot.org on behalf of jurgen@botz.org> wrote:

I currently have a lot of keys in my .ssh and this is sometimes a
problem when logging into a system where I have to use a password
because the total allowed authentication attempts are exceeded
before it gets to the password. So I had been using
"-o PreferredAuthentications=password" in those cases. But I just
found that there's a gotcha with this... on a specific host that had
a pam configuration to use a 2nd factor (google-authenticator) I
kept getting "Permission denied; please try again." after the
password prompt and never getting to the prompt for the authenticator
code. From a different client where I didn't need to use the
PreferredAuthentications option it worked fine. Eventually I noticed
two things...

1) The password prompt was different; when I used
PreferredAuthentications it looked like "user@host password:", but
when I didn't use that option it just says "Password:" (note the capital
"P").

2) Using "-o PubkeyAuthentication=no" instead of
PreferredAuthentications resolved my problem.

It would seem that depending on those options the interaction between
sshd and PAM is different. Is this is a bug, or am I missing something
about the semantics of 'PreferredAuthentications=password'?

Cheers,
- Jürgen


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Tue, 20 Jul 2021, Jürgen Botz wrote:

> of sense, although the exact semantics of each authentication method
> (password and keyboard-interactive) aren't completely clear even after
> studying the documentation. Does password bypass PAM entirely and have
> sshd check the password directly?

I don’t know either. Is there a write-up on this?

I do know that I can only use password to log into my BSD box
successfully, not keyboard-interactive, so they are not equivalent.

There’s (thankfully!) no PAM on BSD. Anything related to PAM is
therefore openssh-portable-related.

bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

*************************************************

Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter

*************************************************
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 7/20/21 6:56 PM, Thorsten Glaser wrote:
> On Tue, 20 Jul 2021, Jürgen Botz wrote:
>> of sense, although the exact semantics of each authentication method
>> (password and keyboard-interactive) aren't completely clear even after
>> studying the documentation. Does password bypass PAM entirely and have
>> sshd check the password directly?
>
> I don’t know either. Is there a write-up on this?
>
> I do know that I can only use password to log into my BSD box
> successfully, not keyboard-interactive, so they are not equivalent.

Ah! If I understood correctly you /should/ be able to use
'keyboard-interactive:bsdauth' to log into your BSD box. The
keybaord-interactive authentication method has at least two
sub-methods (called 'devices')... pam and bsdauth.

I think to fully understand there's nothing to it but to read
some source code.

- Jürgen

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, 21 Jul 2021 at 07:21, Jürgen Botz <jurgen@botz.org> wrote:

> [...]
> "-o PreferredAuthentications=password" [...]
> a pam configuration to use a 2nd factor (google-authenticator) I
> kept getting "Permission denied; please try again." after the
> password prompt and never getting to the prompt for the authenticator
> code.


The short answer is you want to
use PreferredAuthentications=keyboard-interactive on your client instead,
or set PasswordAuthentication=no on the server.


> From a different client where I didn't need to use the
> PreferredAuthentications option it worked fine. Eventually I noticed
> two things...
>
> 1) The password prompt was different; when I used
> PreferredAuthentications it looked like "user@host password:", but
> when I didn't use that option it just says "Password:" (note the capital
> "P").
>

Long answer: in the first case the prompt was generated by the ssh client.
In the second case the prompt was generated by the PAM stack and passed to
the ssh client which just displays whatever it's told.

2) Using "-o PubkeyAuthentication=no" instead of
> PreferredAuthentications resolved my problem.
>
> It would seem that depending on those options the interaction between
> sshd and PAM is different. Is this is a bug, or am I missing something
> about the semantics of 'PreferredAuthentications=password'?
>

"password" authentication passes a single simple password over the
encrypted channel (RFC4252 section 8). It has no provision to pass your
Google Authenticator code.

"keyboard-interactive" (RFC4256) allows for an arbitrary number of
arbitrary requests and responses during an authentication. PAM
configurations can require an arbitrary number of challenges and responses,
so there are PAM configurations (such as yours) that cannot be achieved
with simple password authentication but can be with keyboard-interactive.

When UsePAM is enabled and "password" authentication is attempted, sshd
sets up a simple PAM "conversation function" which blindly answers with the
password to anything PAM asks. This works for trivial PAM configurations
but not more complicated ones such as yours. For "keyboard-interactive"
authentications a more complicated conversation function is used that
allows the messages from the PAM stack (such as your "Password:" and Google
Authenticator prompts) to be passed through to the client, and any
responses (such as your password and authenticator code) to be passed back.

If your server has a PAM stack that's too complicated to work with
PasswordAuthentication you probably want to disable it on the server side.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Tue, 20 Jul 2021, Jürgen Botz wrote:

> Ah! If I understood correctly you /should/ be able to use
> 'keyboard-interactive:bsdauth' to log into your BSD box. The

Doesn’t seem to work this way, neither as you wrote or with
-o PreferredAuthentications=keyboard-interactive \
-o KbdInteractiveDevices=bsdauth *shrug*

What *is* keyboard-interactive then? Perhaps this is only
obvious to people who know or used the original 1990s pre-Open
ssh?

Meow,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

*************************************************

Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter

*************************************************
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Tue, 20 Jul 2021, Jürgen Botz wrote:

> I currently have a lot of keys in my .ssh and this is sometimes a
> problem when logging into a system where I have to use a password
> because the total allowed authentication attempts are exceeded
> before it gets to the password. So I had been using
> "-o PreferredAuthentications=password" in those cases. But I just
> found that there's a gotcha with this... on a specific host that had
> a pam configuration to use a 2nd factor (google-authenticator) I
> kept getting "Permission denied; please try again." after the
> password prompt and never getting to the prompt for the authenticator
> code. From a different client where I didn't need to use the
> PreferredAuthentications option it worked fine. Eventually I noticed
> two things...
>
> 1) The password prompt was different; when I used
> PreferredAuthentications it looked like "user@host password:", but
> when I didn't use that option it just says "Password:" (note the capital
> "P").
>
> 2) Using "-o PubkeyAuthentication=no" instead of
> PreferredAuthentications resolved my problem.
>
> It would seem that depending on those options the interaction between
> sshd and PAM is different. Is this is a bug, or am I missing something
> about the semantics of 'PreferredAuthentications=password'?

As others have pointed out, setting this option to just password
also disables the other authentication method that is often used
for password (and challenge-response) authentication.

You probably want:

PreferredAuthentications=keyboard-interactive,password

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, 21 Jul 2021, Thorsten Glaser wrote:

> What *is* keyboard-interactive then? Perhaps this is only
> obvious to people who know or used the original 1990s pre-Open
> ssh?

it's https://datatracker.ietf.org/doc/html/rfc4256
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, 21 Jul 2021 at 09:26, Thorsten Glaser <t.glaser@tarent.de> wrote:

> [...]
> What *is* keyboard-interactive then? Perhaps this is only
> obvious to people who know or used the original 1990s pre-Open
> ssh?
>

The general answer to "what is this thing OpenSSH implements?" is
https://www.openssh.com/specs.html which is linked from the main page of
openssh.com. If there's something that is implemented and not listed
please let us know and we'll fix it.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 7/20/21 8:15 PM, Darren Tucker wrote:
> Long answer: in the first case the prompt was generated by the ssh client.
> In the second case the prompt was generated by the PAM stack and passed to
> [...]

Thanks, Darren, for the detailed explanation. Makes complete sense. In
particular understanding that 'password' auth with PAM enabled doesn't
competely bypass PAM but can't handle more complicated cases was
necessary to explain the combination of behaviors and log messages I
saw.

I'll add rfc4256 to my bed-time reading stack... ;-)

- Jürgen

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev