Bug 1263133
Summary: | openssh multi factor authentication. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Maciej Żenczykowski <zenczykowski> |
Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | jjelen, mattias.ellert, mgrepl, plautrba, tmraz, zenczykowski |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-19 19:56:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Maciej Żenczykowski
2015-09-15 07:59:01 UTC
Hi Maciej, this is interesting question, but it is more appropriate to post to some mailing list, Q&A site or discussion board. Bugzilla is for filling bug reports and feature requests for our products. Setting up different policies for different networks was always complicated in openssh, especially when you want to use OTP, which is not provided directly by openssh. Using AuthenticationMethods in this form "keyboard-interactive:pam:sshd-with-publickey" seems to me over-complicated. But there is upstream bug with patch that was never applied, that should help to solve your problem: https://bugzilla.mindrot.org/show_bug.cgi?id=2102 It is providing PAMServiceName configuration option, that you can change for different policies and then take care of the rest in PAM. If you think it would help you, I can build you testing package and we can consider adding this option to Fedora. From a cursory examination of the linked bugs description it does seem like that allows one to do exactly what I would like. A testing package would be nice! From a cursory examination of the linked bugs description it does seem like that allows one to do exactly what I would like. A testing package would be nice! Ugh, copy and paste error and collisions. What I wanted to say, is that the default should probably still be __progname and not sshd for backwards compatibility with existing ssh daemon configuration. I rebuilt for you recent package with this patch. Can you test if it works for you? I will try to talk with upstream about accepting this change. There should be no blocker, since all PAM is portable-only feature in openssh. http://koji.fedoraproject.org/koji/taskinfo?taskID=11125162 I'm not seeing a way to download binary or src packages (to rebuild myself) from the above link, and I can't seem to find this through a normal search for openssh on koji. Is it hidden somehow? Sure. It is scratch build so it is not visible in any search. But by clicking on x86_64 architecture you will get to: http://koji.fedoraproject.org/koji/taskinfo?taskID=11125163 Where you can download both srpm, but also rpms for this architecture and for Fedora 22. Thanks. I've successfully downloaded and installed the package. However, I've run into a bit of a problem with actually configuring this. AFAICT while I can configure a different pam service type for different users and or different src ips, I can't configure a different pam service based on if you've already authenticated via public key or not, because that's not something I can 'Match' on. I do like the patch, but it doesn't seem like it will allow me to implement my request. I'll play around with it some more. Can you check https://cern-cert.github.io/pam_2fa/ if it can solve your problems? The required feature for this 2fa was pushed as the latest update to Fedora 24. Note, that it is not using google authenticator, but pam_u2f from CERN, but it should do the same job. I didn't try that yet, but this could be a universal solution for the second factor. Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |