Red Hat Bugzilla – Full Text Bug Listing
|Summary:||RequiredAuthentications2 does not work in Match blocks as documented.|
|Product:||[Fedora] Fedora||Reporter:||Steven Haigh <netwiz>|
|Component:||openssh||Assignee:||Petr Lautrbach <plautrba>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||18||CC:||mattias.ellert, mgrepl, netwiz, plautrba, tmraz|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-12-06 22:28:59 EST||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Steven Haigh 2012-11-02 10:43:00 EDT
+++ This bug was initially created as a clone of Bug #869903 +++ Description of problem: I have set up some critical machines to use publickey + password authentication. I have done this by adding the following to /etc/ssh/sshd_config: RequiredAuthentications2 publickey,password I have certain hosts that run automated tasks that require JUST publickey auth. As such, these scripts are currently broken. I have set up a Match block as follows: Match Address !220.127.116.11/32,* X11Forwarding no AllowTcpForwarding no RequiredAuthentications2 publickey,password This should allow publickey auth (as the default) to the specific hosts excluded, and require publickey + password for all other hosts. When trying to run a script that uses a public key, I get the following returned: Authenticated with partial success. Permission denied (password). The documentation in 'man sshd_config' shows: Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, KerberosUseKuserok, MaxAuthTries, MaxSessions, PubkeyAuthentication, AuthorizedKeysCommand, AuthorizedKeysCommandRunAs, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, RequiredAuthentications1, RequiredAuthentications2, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost. This configuration should therefore work. Version-Release number of selected component (if applicable): # rpm -qa | grep openssh openssh-5.3p1-81.el6.x86_64 openssh-clients-5.3p1-81.el6.x86_64 openssh-server-5.3p1-81.el6.x86_64 --- Additional comment from firstname.lastname@example.org on 2012-10-25 02:21:05 EDT --- As a side note, I have also tried matching the single address and using "RequiredAuthentications2 publickey", however I still get a rejection stating further auth was required (password). Config also tested: RequiredAuthentications2 publickey,password Match Address 18.104.22.168/32 X11Forwarding no AllowTcpForwarding no RequiredAuthentications2 publickey
Comment 1 Steven Haigh 2012-11-02 10:44:14 EDT
This is also present on F18 using: # rpm -qa | grep openssh openssh-6.1p1-2.fc18.x86_64 openssh-clients-6.1p1-2.fc18.x86_64 openssh-server-6.1p1-2.fc18.x86_64
Comment 2 Steven Haigh 2012-11-04 23:49:42 EST
While I'm not 100% sure of the syntax here, I've also tried the following config: Match Address 22.214.171.124 X11Forwarding no AllowTcpForwarding no RequiredAuthentications2 publickey Match Address * X11Forwarding no AllowTcpForwarding no RequiredAuthentications2 publickey,password This has no effect any anyone can log in via public key only.
Comment 3 Steven Haigh 2012-11-07 00:46:02 EST
Further to this.... If I disable all auth in the main config, then have the following: PasswordAuthentication no PubkeyAuthentication no Match Address 126.96.36.199 PubkeyAuthentication yes RequiredAuthentications2 publickey Match Address * PasswordAuthentication yes PubkeyAuthentication yes RequiredAuthentications2 publickey,password This gives me the result of: # /etc/init.d/sshd restart Stopping sshd: [FAILED] Starting sshd: /etc/ssh/sshd_config line 147: Invalid required authentication list Line 147 is the first RequiredAuthentications2 statment. Interestingly, the docs show that PasswordAuthentication and PubkeyAuthentication ARE supported keywords in a match block. ie: Only a subset of keywords may be used on the lines following a Match keyword. .... PubkeyAuthentication .... PasswordAuthentication ..... RequiredAuthentications1, RequiredAuthentications2 .... etc Maybe its something more than just the RequiredAuthentications2 keyword being broken?
Comment 4 Steven Haigh 2012-11-07 01:06:07 EST
Full reproduction steps: 1) Take a working SSH server config with working public key auth. 2) Edit /etc/ssh/sshd_config and place the following near the Authentication block: RequiredAuthentications2 publickey,password 3) Save and restart sshd. Verify that you get prompted for a password after successful public key auth. Results should be something like: $ ssh email@example.com Authenticated with partial success. firstname.lastname@example.org's password: Last login: Tue Nov 6 16:47:35 2012 from your.last.login.host [root@test ~]# 4) Add a Match block to allow auth with ONLY publickey authentication to /etc/ssh/sshd_config. Replace xxx with the IP address of your machine: Match Address xxx.xxx.xxx.xxx RequiredAuthentications2 publickey 5) Save and restart sshd. Verify that you are still prompted for a password - even though publickey authentication was successful. $ ssh email@example.com Authenticated with partial success. firstname.lastname@example.org's password: At this point, login should proceed with ONLY a public key from the host listed. This is not currently the case.
Comment 5 Petr Lautrbach 2012-11-07 11:30:39 EST
Thanks for the report and reproducer. I'm able to reproduce this issue and I'm working on a fix. I'd like also to adopt an upstream version of the "required authentication" feature so that it should be possible to use fixed RequiredAuthentications2 method or AuthenticationMethods from the upstream. I will also add warning that "RequiredAuthentications2" will be obsoleted in next fedora release since it's a dead end and the upstream has used another approach.
Comment 6 Petr Lautrbach 2012-11-08 08:39:31 EST
There are two bugs. A RequiredAuthentications2 value is not stored in a Match block. And even if it was stored, it wouldn't be copied from Match sub config to main config. Both are fixed in this  scratch build. Please test if this build fixes your issue.  http://plautrba.fedorapeople.org/openssh/872608/
Comment 7 Steven Haigh 2012-11-08 08:52:19 EST
Hi Petr, I don't have any operating Fedora 18 systems to play with at the moment - my previous testing was a temporary VM - however I have *plenty* of EL6.3 systems to play with. Is it possible to get an el6 build of this to test as well? Maybe attached to #869903? - as that is the original that I cloned for this bug against F18.
Comment 8 Steven Haigh 2012-11-11 01:32:22 EST
I just tested these on a Fedora 18 install. It now works correctly. Tested using the following config: RequiredAuthentications2 publickey,password Match Address 10.1.2.3/32 X11Forwarding no AllowTcpForwarding no RequiredAuthentications2 publickey Connections from that host correctly use publickey only - other hosts use BOTH publickey and password as expected.
Comment 9 Petr Lautrbach 2012-11-12 08:36:28 EST
Comment 10 Fedora Update System 2012-11-26 11:13:30 EST
openssh-5.9p1-28.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/openssh-5.9p1-28.fc17
Comment 11 Fedora Update System 2012-11-28 06:47:50 EST
Package openssh-5.9p1-28.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-5.9p1-28.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19252/openssh-5.9p1-28.fc17 then log in and leave karma (feedback).
Comment 12 Fedora Update System 2012-12-03 05:21:34 EST
openssh-6.1p1-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/openssh-6.1p1-3.fc18
Comment 13 Fedora Update System 2012-12-06 02:22:33 EST
openssh-6.1p1-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-12-06 22:29:02 EST
openssh-5.9p1-28.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.