Dear OpenSSH Development Team, I'm writing because I have trouble implementing a relatively straightforward authentication scenario with OpenSSH Server and I could not find any useful information by googling and probably you are my best choice to turn to because you must be the most familiar with the internals of OpenSSH. I'm trying to implement two-factor authentication for OpenSSH. The environment is Centos 7 (kernel: 3.10.0-229.1.2.el7.x86_64) with OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013. We have Active Directory (LDAP) + Kerberos deployed. The specification is as follows: - A user with an existing, valid Kerberos ticket must be asked only for the second factor - A user without an existing, valid Kerberos ticket must be asked for both his password and a second factor - Local users (no LDAP acc.) should be able to authenticate with their local passwords - The second factor must not be offered before the first one - Besides Kerberos, public key authentication should be also accepted as first factor if available - The feature should be able to be limited to a set of users - others just get let in with their passwords For performing the second factor's authentication process, there is 3rd party a PAM module available that knows nothing about Kerberos. So here is what I did: Put these lines into /etc/ssh/sshd_config: # To enable PAM - this will make sshd use PAM with configuration /etc/pam.d/sshd UsePam yes ChallengeResponseAuthentication yes # To enable Kerberos and public key authentication - it will let sshd use existing Kerberos tickets GSSAPIAuthentication yes # Enable public key authentication PubkeyAuthentication yes # Password validation should be done via the KDC PasswordAuthentication yes KerberosAuthentication yes KerberosOrLocalPasswd yes # Kerberos / Public Key + PAM AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam publickey,keyboard-interactive:pam password,keyboard-interactive:pam # (only supported for OpenSSH 6.2 or higher) The auth section of the PAM configuration for sshd (/etc/pam.d/sshd) auth [success=ignore default=1] pam_localuser.so auth substack password-auth auth [success=1 default=ignore] pam_localuser.so auth required pam_2fa.so [...some arguments...] auth include postlogin The module pam_2fa.so is responsible for prompting for and validating the second factor. Now for Kerberos, this does almost everything I wanted to achieve. However, for local accounts, it results in two subsequent password prompts. This is my main problem here. This is because in this case the path "password,keyboard-interactive:pam" is used,as expected. (I need this auth. path so someone with a Kerberos account but without a valid ticket can get a ticket by entering the password then the OTP.) If I remove the password-auth substack completely from the PAM config, then Kerberos accounts remain working and local accounts remain not working. To me, it seems like the KerberosOrLocalPasswd yes statement gets ignored, because UsePAM yes is also present. However, sshd really keeps using KDC for password validation, because otherwise it would not work for LDAP accounts either. So again, to further clarify what I wish to implement here is the pseudocode that described the desired authentication logic: if gssapi_auth_ok(principal) or pubkey_auth_ok(pubkey): return second_factor_auth(user, read_otp()) else: if is_local_account(user): return local_passwd_auth(user, read_password()) else: if krb5_auth(principal, read_password()): return second_factor_auth(user, read_otp()) return AUTH_ERR So my scenario I think is not too complex or ambitious in any way, but I still could not find a clear way to implement it despite I spent days researching and experimenting. Could you please help me find a solution? Thank you very much in advance! Cheers, Gyorgy Demarcsek _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev