Hi, Finally got it working (user backup requires only pubkey to authenticate, others - 2-way through PAM): ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive Match User backup AuthenticationMethods publickey Regards, Alexander On Tue, Dec 15, 2015 at 4:41 PM, Alexander Afonyashin <a.afonyashin@xxxxxxxxxxxxxx> wrote: > Hi Iain, > > Unfortunately it leads to "no authentication methods enabled" when is used. > > ChallengeResponseAuthentication yes > AuthenticationMethods publickey,keyboard-interactive > Match User backup > KbdInteractiveAuthentication no > > Ssh-ing to this config under user root: > > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey > debug1: Next authentication method: publickey > debug1: Offering RSA public key: key@work > debug1: Server accepts key: pkalg ssh-rsa blen 277 > Authenticated with partial success. > debug1: Authentications that can continue: keyboard-interactive > debug1: Next authentication method: keyboard-interactive > Verification code: > > Ssh-ing to this config under user backup: > > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > Received disconnect from X.X.X.X: 2: no authentication methods enabled > > Regards, > Alexander > > On Mon, Dec 14, 2015 at 10:44 PM, Iain Morgan <imorgan@xxxxxxxxxxxx> wrote: >> On Fri, Dec 11, 2015 at 11:13:59 +0300, Alexander Afonyashin wrote: >>> Hi, >>> >>> I'm using 2-factor authentication (pubkey+googe_authenticator) and >>> have an issue with rsync. It's configured to use pubkey to >>> authenticate to server so when google_authentication is bypassed by >>> not creating .google_authenticator file for particular user (thanks to >>> nullok option in PAM) it still sends to stderr "Authenticated with >>> partial success." message although it succeeded. >>> >>> So idea is simple: disable 2-factor authentication for particular user/network. >>> >> >> Try KbdInteractiveAuthentication (which is supported in Match blocks) >> instead of ChallengeResponseAuthentication. >> >> -- >> Iain Morgan _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
