Re: Support for ChallengeResponseAuthentication in Match section

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

Finally got it working (user backup requires only pubkey to
authenticate, others - 2-way through PAM):

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Match User backup
  AuthenticationMethods publickey

Regards,
Alexander

On Tue, Dec 15, 2015 at 4:41 PM, Alexander Afonyashin
<a.afonyashin@xxxxxxxxxxxxxx> wrote:
> Hi Iain,
>
> Unfortunately it leads to "no authentication methods enabled" when is used.
>
> ChallengeResponseAuthentication yes
> AuthenticationMethods publickey,keyboard-interactive
> Match User backup
>   KbdInteractiveAuthentication no
>
> Ssh-ing to this config under user root:
>
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: key@work
> debug1: Server accepts key: pkalg ssh-rsa blen 277
> Authenticated with partial success.
> debug1: Authentications that can continue: keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> Verification code:
>
> Ssh-ing to this config under user backup:
>
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> Received disconnect from X.X.X.X: 2: no authentication methods enabled
>
> Regards,
> Alexander
>
> On Mon, Dec 14, 2015 at 10:44 PM, Iain Morgan <imorgan@xxxxxxxxxxxx> wrote:
>> On Fri, Dec 11, 2015 at 11:13:59 +0300, Alexander Afonyashin wrote:
>>> Hi,
>>>
>>> I'm using 2-factor authentication (pubkey+googe_authenticator) and
>>> have an issue with rsync. It's configured to use pubkey to
>>> authenticate to server so when google_authentication is bypassed by
>>> not creating .google_authenticator file for particular user (thanks to
>>> nullok option in PAM) it still sends to stderr "Authenticated with
>>> partial success." message although it succeeded.
>>>
>>> So idea is simple: disable 2-factor authentication for particular user/network.
>>>
>>
>> Try KbdInteractiveAuthentication (which is supported in Match blocks)
>> instead of ChallengeResponseAuthentication.
>>
>> --
>> Iain Morgan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux