[Bug 3303] New: Request Match block accommodation for 2FA sshd_config

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Apr 24 04:29:48 AEST 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3303

            Bug ID: 3303
           Summary: Request Match block accommodation for 2FA sshd_config
           Product: Portable OpenSSH
           Version: 8.6p1
          Hardware: Other
                OS: Windows 10
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: alwanza at yahoo.com

Explanation of how the bug works:
Users can ssh into the SSH SERVER using the following methods:
1.      password and 2FA    (this is as designed)
2.      ssh-key with passphrase and 2FA   (this is as designed)
3.      password and enter and  password (entering the same password
twice)  (this is a bug)
4.      ssh-key with passphrase and enter and password  (this is a bug)

Per ssh error message:
Directive 'ChallengeResponseAuthentication' is not allowed within a
Match Block

In order to permit users to authenticate with EITHER a long password 
OR an ssh-key that is protected with a passphrase, 
we introduced “Match” blocks in our sshd_config file.
The “Match” blocks permit SOME users to use a password AND other users
to use an ssh-key protected with a passphrase.

The allowable authentication methods in a Match block include: 
password, publickey, and keyboard-interactive

The problem is that “keyboard-interactive” is NOT restricted to meaning
“2FA” and there is no way to restrict it to mean “2FA”.
“keyboard-interactive”  CAN also mean “password”.  So if the user just
enters an empty Verification Code, the user is presented with a
password prompt.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list