Bug 872608

Summary: RequiredAuthentications2 does not work in Match blocks as documented.
Product: [Fedora] Fedora Reporter: Steven Haigh <netwiz>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 18CC: mattias.ellert, mgrepl, netwiz, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://bugzilla.mindrot.org/show_bug.cgi?id=983
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 869903 Environment:
Last Closed: 2012-12-06 22:28:59 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Steven Haigh 2012-11-02 10:43:00 EDT
+++ This bug was initially created as a clone of Bug #869903 +++

Description of problem:
I have set up some critical machines to use publickey + password authentication. I have done this by adding the following to /etc/ssh/sshd_config:
        RequiredAuthentications2 publickey,password

I have certain hosts that run automated tasks that require JUST publickey auth. As such, these scripts are currently broken.

I have set up a Match block as follows:
Match Address !1.2.3.4/32,*
        X11Forwarding no
        AllowTcpForwarding no
        RequiredAuthentications2 publickey,password

This should allow publickey auth (as the default) to the specific hosts excluded, and require publickey + password for all other hosts.

When trying to run a script that uses a public key, I get the following returned:
Authenticated with partial success.
Permission denied (password).

The documentation in 'man sshd_config' shows:
             Only a subset of keywords may be used on the lines following a Match keyword.  Available keywords
             are AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, GatewayPorts,
             GSSAPIAuthentication, HostbasedAuthentication, KbdInteractiveAuthentication,
             KerberosAuthentication, KerberosUseKuserok, MaxAuthTries, MaxSessions, PubkeyAuthentication,
             AuthorizedKeysCommand, AuthorizedKeysCommandRunAs, PasswordAuthentication, PermitEmptyPasswords,
             PermitOpen, PermitRootLogin, RequiredAuthentications1, RequiredAuthentications2,
             RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost.

This configuration should therefore work.

Version-Release number of selected component (if applicable):
# rpm -qa | grep openssh
openssh-5.3p1-81.el6.x86_64
openssh-clients-5.3p1-81.el6.x86_64
openssh-server-5.3p1-81.el6.x86_64

--- Additional comment from netwiz@crc.id.au on 2012-10-25 02:21:05 EDT ---

As a side note, I have also tried matching the single address and using "RequiredAuthentications2 publickey", however I still get a rejection stating further auth was required (password).

Config also tested:

RequiredAuthentications2 publickey,password

Match Address 1.2.3.4/32
        X11Forwarding no
        AllowTcpForwarding no
        RequiredAuthentications2 publickey
Comment 1 Steven Haigh 2012-11-02 10:44:14 EDT
This is also present on F18 using:

# rpm -qa | grep openssh
openssh-6.1p1-2.fc18.x86_64
openssh-clients-6.1p1-2.fc18.x86_64
openssh-server-6.1p1-2.fc18.x86_64
Comment 2 Steven Haigh 2012-11-04 23:49:42 EST
While I'm not 100% sure of the syntax here, I've also tried the following config:

Match Address 203.56.246.89
        X11Forwarding no
        AllowTcpForwarding no
        RequiredAuthentications2 publickey

Match Address *
        X11Forwarding no
        AllowTcpForwarding no
        RequiredAuthentications2 publickey,password

This has no effect any anyone can log in via public key only.
Comment 3 Steven Haigh 2012-11-07 00:46:02 EST
Further to this.... If I disable all auth in the main config, then have the following:

PasswordAuthentication no
PubkeyAuthentication no

Match Address 203.56.246.89
        PubkeyAuthentication yes
        RequiredAuthentications2 publickey

Match Address *
        PasswordAuthentication yes
        PubkeyAuthentication yes
        RequiredAuthentications2 publickey,password

This gives me the result of:
# /etc/init.d/sshd restart
Stopping sshd:                                             [FAILED]
Starting sshd: /etc/ssh/sshd_config line 147: Invalid required authentication list

Line 147 is the first RequiredAuthentications2 statment.

Interestingly, the docs show that PasswordAuthentication and PubkeyAuthentication ARE supported keywords in a match block.

ie:
Only a subset of keywords may be used on the lines following a Match keyword. .... PubkeyAuthentication .... PasswordAuthentication ..... RequiredAuthentications1, RequiredAuthentications2 .... etc

Maybe its something more than just the RequiredAuthentications2 keyword being broken?
Comment 4 Steven Haigh 2012-11-07 01:06:07 EST
Full reproduction steps:

1) Take a working SSH server config with working public key auth.
2) Edit /etc/ssh/sshd_config and place the following near the Authentication block:
       RequiredAuthentications2 publickey,password

3) Save and restart sshd. Verify that you get prompted for a password after successful public key auth. Results should be something like:

$ ssh root@test.server.here
Authenticated with partial success.
root@test.server.here's password:
Last login: Tue Nov  6 16:47:35 2012 from your.last.login.host
[root@test ~]#

4) Add a Match block to allow auth with ONLY publickey authentication to /etc/ssh/sshd_config. Replace xxx with the IP address of your machine:

Match Address xxx.xxx.xxx.xxx
        RequiredAuthentications2 publickey

5) Save and restart sshd. Verify that you are still prompted for a password - even though publickey authentication was successful.

$ ssh root@test.server.here
Authenticated with partial success.
root@test.server.here's password:

At this point, login should proceed with ONLY a public key from the host listed. This is not currently the case.
Comment 5 Petr Lautrbach 2012-11-07 11:30:39 EST
Thanks for the report and reproducer. I'm able to reproduce this issue and I'm working on a fix. 

I'd like also to adopt an upstream version of the "required authentication" feature so that it should be possible to use fixed RequiredAuthentications2 method or AuthenticationMethods from the upstream. I will also add warning that "RequiredAuthentications2" will be obsoleted in next fedora release since it's a dead end and the upstream has used another approach.
Comment 6 Petr Lautrbach 2012-11-08 08:39:31 EST
There are two bugs. A RequiredAuthentications2 value is not stored in a Match block. And even if it was stored, it wouldn't be  copied from Match sub config to main config.

Both are fixed in this [1] scratch build. Please test if this build fixes your issue.

[1] http://plautrba.fedorapeople.org/openssh/872608/
Comment 7 Steven Haigh 2012-11-08 08:52:19 EST
Hi Petr,

I don't have any operating Fedora 18 systems to play with at the moment - my previous testing was a temporary VM - however I have *plenty* of EL6.3 systems to play with. Is it possible to get an el6 build of this to test as well?

Maybe attached to #869903? - as that is the original that I cloned for this bug against F18.
Comment 8 Steven Haigh 2012-11-11 01:32:22 EST
I just tested these on a Fedora 18 install. It now works correctly.

Tested using the following config:

RequiredAuthentications2 publickey,password

Match Address 10.1.2.3/32
        X11Forwarding no
        AllowTcpForwarding no
        RequiredAuthentications2 publickey

Connections from that host correctly use publickey only - other hosts use BOTH publickey and password as expected.
Comment 10 Fedora Update System 2012-11-26 11:13:30 EST
openssh-5.9p1-28.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openssh-5.9p1-28.fc17
Comment 11 Fedora Update System 2012-11-28 06:47:50 EST
Package openssh-5.9p1-28.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-5.9p1-28.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19252/openssh-5.9p1-28.fc17
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2012-12-03 05:21:34 EST
openssh-6.1p1-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/openssh-6.1p1-3.fc18
Comment 13 Fedora Update System 2012-12-06 02:22:33 EST
openssh-6.1p1-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-12-06 22:29:02 EST
openssh-5.9p1-28.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.