|
|
Subscribe / Log in / New account

What's new in OpenSSH 6.2

What's new in OpenSSH 6.2

Posted Apr 3, 2013 14:24 UTC (Wed) by nix (subscriber, #2304)
Parent article: What's new in OpenSSH 6.2

Hm, is there any evidence that specifying submethods after a colon works? I can't see an implementation of that in the code, it's not documented in the manpage, and trying to use it gives

error: Unknown authentication method "keyboard-interactive:pam" in list
fatal: reprocess config line 105: invalid authentication method list.

which seems pretty conclusive.

(FWIW, the undocumented keyword KbdInteractiveAuthentication yes" might also be necessary. It is documented as working in Match blocks but is nowhere else documented. Its default value appears to be 0, which is hard to square with keyboard-interactive authentication apparently working when password auth is turned on. Maybe PAM is a kind of password auth? The difference between password and keyboard-interactive is extremely opaque to me.)

to post comments

What's new in OpenSSH 6.2

Posted Apr 3, 2013 15:01 UTC (Wed) by nix (subscriber, #2304) [Link]

OK. On further investigation, if you are using PAM, then the password authentication method will always use it -- but if you're using keyboard-interactive, then (as the default config file somewhat confusingly suggests, without mentioning keyboard-interactive at all) PAM's account and session checks will run but PAM will not be given the opportunity to actually ask you for a password. The advantage of all this over turning on PasswordAuthentication is... somewhat opaque to me. I guess keyboard-interactive can be used for more intricate protocols, but none appear to exist other than S/Key yet, and it doesn't seem likely that many will be added as long as PAM exists, since PAM is useful for lots of non-ssh uses as well.

What's new in OpenSSH 6.2

Posted Aug 16, 2013 3:58 UTC (Fri) by dugsong (guest, #79624) [Link]

We implemented a native kbdint driver for Duo Security's two-factor authentication for OpenSSH ("keyboard-interactive:duo"), coordinated with markus' AuthenticationMethods submethod commit. Code and docs here:

https://github.com/duosecurity/libduo/tree/master/openssh

A similar experience can be achieved using our ForceCommand trick, which doesn't require any sshd changes or root access:

https://blog.duosecurity.com/2011/04/ssh-keys-that-call-y...

But the latter approach doesn't prevent port forwarding before secondary authentication.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds