[Bug 2663] New: [man] sshd_config(5) AuthenticationMethods segment clarification, proposal and questions

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Jan 9 12:33:31 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2663

            Bug ID: 2663
           Summary: [man] sshd_config(5) AuthenticationMethods segment
                    clarification, proposal and questions
           Product: Portable OpenSSH
           Version: 7.2p2
          Hardware: Other
                OS: Linux
            Status: NEW
          Keywords: low-hanging-fruit
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bgzll at gmx-topmail.de

Segment's first paragraph reads:
AuthenticationMethods
    ... This option must be followed by one or more __comma-separated
lists__ of authentication method names. ...

Suggested change
    ... This option must be followed by one or more lists of
__comma-separated authentication method names__. ...

Rationale:
The current wording is misleading; not the lists are comma-separated,
but their elements; any pair of neighbouring lists is space-separated.
----------

My approach was:
Taking the example of the second paragraph's first sentence (without
considering the subsequent explanation)
    ... “publickey,password publickey,keyboard-interactive” ...
the misleading statement about the list separator would have to yield
three authentication paths, either with:
   "publickey" or "password and publickey" or  "keyboard-interactive"
Testing a configuration with just "password,publickey" in an actual
sshd_config file made it apparent that a single list is at hand, as an
authentication only occurs if the password input can be augmented with
the retrieval of a keyfile (otherwise, the client reports
"Authenticated with partial success.").
----------

And something else is at play:
    AuthenticationMethods password publickey
    AuthenticationMethods publickey password

Both fail to authenticate, if no publickey is present; apparently, the
first (and only) items of the 2 lists are brought into a default order
of "publickey password"; this cannot be inferred from invoking
    sshd -T -f /etc/ssh/sshd_config
which seems to suggest that the order remains as originally set in
sshd_config.
Granted, single item lists do not warrant usage of
"AuthenticationMethods". But this fails as well:
    AuthenticationMethods password publickey,password
(Again, a rather useless combination from a practical view)
The client specifically stating not to use public key auth remedies the
issue:
    ssh user at host -o "PubkeyAuthentication no"
My suggestion for this would be to extend the manual section by a
sentence that states the order of precedence of authentication methods
within a given "stage".
----------

For me, with regard to the manual segment of AuthenticationMethods, a
question remains with the term "stage" in paragraph 2, sentence 2:
    Only methods that are next in one or more lists are offered at each
stage, ...
Is this supposed to say that, for example:
    AuthenticationMethods password,publickey 
hostbased,keyboard-interactive
could result in a user being authenticated by "hostbased publickey"?

If so, then the last sentence of the section's paragraph 1:
    Successful authentication requires completion of every method in at
least one of these lists.
would be incorrect in so far that - strictly speaking - none of the
given lists was completed, but a new one was assembled.

Thanks for any clarifications -  and maybe, this helps some other folks
when preparing and testing an sshd configuration.
----------

Beyond this topic, is there a reason why only the first occurrence of
AuthenticationMethods is honored? As with HostKey, Port, ...,
reocurring keywords' values could be appended...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list