Bug 2115610

Summary:	SSHD option KbdInteractiveAuthentication cannot be directly set without ChallengeResponseAuthentication option
Product:	Red Hat Enterprise Linux 8	Reporter:	Quynh Anh Pham <qpham>
Component:	openssh	Assignee:	Dmitry Belyavskiy <dbelyavs>
Status:	CLOSED WONTFIX	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	8.6	CC:	jjelen, rlundgre
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-08-08 13:24:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Quynh Anh Pham 2022-08-05 02:15:27 UTC

Description of problem:
the KbdInteractiveAuthentication setting can only be adjusted by changing ChallengeResponseAuthentication in the sshd conf file

Version-Release number of selected component (if applicable):
OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021

How reproducible:
1. I made the requested changes to the /etc/ssh/sshd_config file


root.com# grep -E "^PasswordAuthentication|^KbdInteractiveAuthentication" /etc/ssh/sshd_config
PasswordAuthentication yes
KbdInteractiveAuthentication no
root.com#

2. After restarting sshd the setting for KbdInteractiveAuthentication was still yes:


root.com# sshd -T|grep authen
hostbasedauthentication no
pubkeyauthentication yes
kerberosauthentication no
gssapiauthentication yes
passwordauthentication yes
kbdinteractiveauthentication yes
challengeresponseauthentication yes
authenticationmethods any
root.com#

So despite adding it to the conf file the running sshd daemon does not reflect the setting, which tells me that it cannot be directly set.


3. The man entry for sshd_config indicates that KbdInteractiveAuthentication defaults to ChallengeResponseAuthentication.
So I removed the KbdInteractiveAuthentication  entry that I added and changed ChallengeResponseAuthentication to be no.


root.com# grep -E "^PasswordAuthentication|^KbdInteractiveAuthentication|^ChallengeResponseAuthentication" /etc/ssh/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication no
root.com#

4. After re-starting sshd the running daemon now reports these authentication settings:


root.com# sshd -T|grep authen
hostbasedauthentication no
pubkeyauthentication yes
kerberosauthentication no
gssapiauthentication yes
passwordauthentication yes
kbdinteractiveauthentication no
challengeresponseauthentication no
authenticationmethods any
root.com#

Actual results:
kbdinteractiveauthentication is set to "no" for sshd authen only when ChallengeResponseAuthentication is set to be "no"

Expected results:
kbdinteractiveauthentication is set to "no" for sshd authen even when ChallengeResponseAuthentication is set to be "yes" to enable 2FA login

Additional info:

Comment 1 Runar Lundgren 2022-08-08 04:08:32 UTC

Additional information supplied by the customer:

When sshd_config has ChallengeResponseAuthentication set to yes and the PAM stack for sshd includes pam_env and pam_sss modules then any environment variables that the pam_env pam entries configure for the user shell do not get applied to the shell once authentication via sss completes.

The setting of environment variables by sshd should not be controlled by the ChallengeResponseAuthentication setting.

Comment 2 Dmitry Belyavskiy 2022-08-08 13:24:57 UTC

As documented in release notes, till OpenSSH 8.6 ChallengeResponseAuthentication was an option remaining from SSHv1, the KbdInteractiveAuthentication is newly defined in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. Since OpenSSH 8.6+ (present in RHEL 9) ChallengeResponseAuthentication is an alias to KbdInteractiveAuthentication, so the fix you propose seems not worth implementing.