Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2115610

Summary: SSHD option KbdInteractiveAuthentication cannot be directly set without ChallengeResponseAuthentication option
Product: Red Hat Enterprise Linux 8 Reporter: Quynh Anh Pham <qpham>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.6CC: jjelen, rlundgre
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-08 13:24:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Quynh Anh Pham 2022-08-05 02:15:27 UTC 
Description of problem:
the KbdInteractiveAuthentication setting can only be adjusted by changing ChallengeResponseAuthentication in the sshd conf file

Version-Release number of selected component (if applicable):
OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021

How reproducible:
1. I made the requested changes to the /etc/ssh/sshd_config file


root.com# grep -E "^PasswordAuthentication|^KbdInteractiveAuthentication" /etc/ssh/sshd_config
PasswordAuthentication yes
KbdInteractiveAuthentication no
root.com#

2. After restarting sshd the setting for KbdInteractiveAuthentication was still yes:


root.com# sshd -T|grep authen
hostbasedauthentication no
pubkeyauthentication yes
kerberosauthentication no
gssapiauthentication yes
passwordauthentication yes
kbdinteractiveauthentication yes
challengeresponseauthentication yes
authenticationmethods any
root.com#

So despite adding it to the conf file the running sshd daemon does not reflect the setting, which tells me that it cannot be directly set.


3. The man entry for sshd_config indicates that KbdInteractiveAuthentication defaults to ChallengeResponseAuthentication.
So I removed the KbdInteractiveAuthentication  entry that I added and changed ChallengeResponseAuthentication to be no.


root.com# grep -E "^PasswordAuthentication|^KbdInteractiveAuthentication|^ChallengeResponseAuthentication" /etc/ssh/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication no
root.com#

4. After re-starting sshd the running daemon now reports these authentication settings:


root.com# sshd -T|grep authen
hostbasedauthentication no
pubkeyauthentication yes
kerberosauthentication no
gssapiauthentication yes
passwordauthentication yes
kbdinteractiveauthentication no
challengeresponseauthentication no
authenticationmethods any
root.com#

Actual results:
kbdinteractiveauthentication is set to "no" for sshd authen only when ChallengeResponseAuthentication is set to be "no"

Expected results:
kbdinteractiveauthentication is set to "no" for sshd authen even when ChallengeResponseAuthentication is set to be "yes" to enable 2FA login

Additional info:
Comment 1 Runar Lundgren 2022-08-08 04:08:32 UTC 
Additional information supplied by the customer:

When sshd_config has ChallengeResponseAuthentication set to yes and the PAM stack for sshd includes pam_env and pam_sss modules then any environment variables that the pam_env pam entries configure for the user shell do not get applied to the shell once authentication via sss completes.

The setting of environment variables by sshd should not be controlled by the ChallengeResponseAuthentication setting.
Comment 2 Dmitry Belyavskiy 2022-08-08 13:24:57 UTC 
As documented in release notes, till OpenSSH 8.6 ChallengeResponseAuthentication was an option remaining from SSHv1, the KbdInteractiveAuthentication is newly defined in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. Since OpenSSH 8.6+ (present in RHEL 9) ChallengeResponseAuthentication is an alias to KbdInteractiveAuthentication, so the fix you propose seems not worth implementing.