[Bug 3303] New: Request Match block accommodation for 2FA sshd_config
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Apr 24 04:29:48 AEST 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3303
Bug ID: 3303
Summary: Request Match block accommodation for 2FA sshd_config
Product: Portable OpenSSH
Version: 8.6p1
Hardware: Other
OS: Windows 10
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: alwanza at yahoo.com
Explanation of how the bug works:
Users can ssh into the SSH SERVER using the following methods:
1. password and 2FA (this is as designed)
2. ssh-key with passphrase and 2FA (this is as designed)
3. password and enter and password (entering the same password
twice) (this is a bug)
4. ssh-key with passphrase and enter and password (this is a bug)
Per ssh error message:
Directive 'ChallengeResponseAuthentication' is not allowed within a
Match Block
In order to permit users to authenticate with EITHER a long password
OR an ssh-key that is protected with a passphrase,
we introduced “Match” blocks in our sshd_config file.
The “Match” blocks permit SOME users to use a password AND other users
to use an ssh-key protected with a passphrase.
The allowable authentication methods in a Match block include:
password, publickey, and keyboard-interactive
The problem is that “keyboard-interactive” is NOT restricted to meaning
“2FA” and there is no way to restrict it to mean “2FA”.
“keyboard-interactive” CAN also mean “password”. So if the user just
enters an empty Verification Code, the user is presented with a
password prompt.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list