Support for ChallengeResponseAuthentication in Match section

Alexander Afonyashin a.afonyashin at madnet-team.ru
Wed Dec 16 00:41:49 AEDT 2015


Hi Iain,

Unfortunately it leads to "no authentication methods enabled" when is used.

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Match User backup
  KbdInteractiveAuthentication no

Ssh-ing to this config under user root:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: key at work
debug1: Server accepts key: pkalg ssh-rsa blen 277
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Verification code:

Ssh-ing to this config under user backup:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
Received disconnect from X.X.X.X: 2: no authentication methods enabled

Regards,
Alexander

On Mon, Dec 14, 2015 at 10:44 PM, Iain Morgan <imorgan at nas.nasa.gov> wrote:
> On Fri, Dec 11, 2015 at 11:13:59 +0300, Alexander Afonyashin wrote:
>> Hi,
>>
>> I'm using 2-factor authentication (pubkey+googe_authenticator) and
>> have an issue with rsync. It's configured to use pubkey to
>> authenticate to server so when google_authentication is bypassed by
>> not creating .google_authenticator file for particular user (thanks to
>> nullok option in PAM) it still sends to stderr "Authenticated with
>> partial success." message although it succeeded.
>>
>> So idea is simple: disable 2-factor authentication for particular user/network.
>>
>
> Try KbdInteractiveAuthentication (which is supported in Match blocks)
> instead of ChallengeResponseAuthentication.
>
> --
> Iain Morgan


More information about the openssh-unix-dev mailing list