Match and ChallengeResponseAuthentication

Miguel Lopes Santos Ramos mbox at miguel.ramos.name
Thu Mar 10 01:03:52 EST 2011 

Hi,

I'd like to allow PAM authentication only from the local network, and
from the Internet only allow public key authentication.

A similar-enough problem has been discussed on this list previously:

http://www.gossamer-threads.com/lists/openssh/dev/47179?search_string=match%20challengeresponseauthentication;#47179


More specifically, I would like to allow PAM authentication from the
Internet only for users which I know use OPIE (that's because
pam_opieaccess isn't flexible enough for this).
That would be something like this:

ChallengeResponseAuthentication no
Match Address 10.0.0.0/8
  ChallengeResponseAuthentication yes
Match User miguel
  ChallengeResponseAuthentication yes


However, ChallengeResponseAuthentication can't be used within Match, as
was previously pointed out.

Now, about the solutions in the other thread:

- Damien Miller suggested patching sshd. That would be ok for me, but
only if that's what makes the most sens: that is, my policy is too
specific and useless or unadvisable to others.

- Damien Miller also suggested turning off KbdInteractiveAuthentication
inside match, and,

- Darren Tucker suggested turning it off outside and on inside,


But, I tried these options:

a)
ChallengeResponseAuthentication yes
#KbdInteractiveAuthentication yes
Match Address !10.0.0.0/8
  KbdInteractiveAuthentication no

- keyboard interactive auth from the Internet isn't prevented.

b)
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
Match Address 10.0.0.0/8
  KbdInteractiveAuthentication yes
Match User miguel
  KbdInteractiveAuthentication yes

- from the Internet, the desired effect is obtained, when trying ssh -o
PubkeyAuthentication=no user at example.com, I get:
Permission denied (publickey)

- from the local net, when trying ssh -o PubkeyAuthentication=no
user at example.com, I get:
Permission denied (publickey,keyboard-interactive)

That's funny, keyboard-interactive is allowed, but I'm not asked for a
password, obviously that must be because ChallengeResponseAuthentication
is no, globally.

c)
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication no
Match Address 10.0.0.0/8
  KbdInteractiveAuthentication yes
Match User miguel
  KbdInteractiveAuthentication yes

- keyboard interactive auth from the Internet isn't prevented.


So, I guess I'm left with patching sshd??

In everything else my sshd_config is set to defaults. Also, I'm on
FreeBSD (8.2-PRERELEASE #2 with OpenSSH_5.4p1).


Thanks for any pointers (including telling me that I shouldn't have that
policy).

-- 
Miguel Ramos <mbox at miguel.ramos.name>
PGP A006A14C

More information about the openssh-unix-dev mailing list