+++ This bug was initially created as a clone of Bug #869903 +++ Description of problem: I have set up some critical machines to use publickey + password authentication. I have done this by adding the following to /etc/ssh/sshd_config: RequiredAuthentications2 publickey,password I have certain hosts that run automated tasks that require JUST publickey auth. As such, these scripts are currently broken. I have set up a Match block as follows: Match Address !1.2.3.4/32,* X11Forwarding no AllowTcpForwarding no RequiredAuthentications2 publickey,password This should allow publickey auth (as the default) to the specific hosts excluded, and require publickey + password for all other hosts. When trying to run a script that uses a public key, I get the following returned: Authenticated with partial success. Permission denied (password). The documentation in 'man sshd_config' shows: Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are AllowAgentForwarding, AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, KbdInteractiveAuthentication, KerberosAuthentication, KerberosUseKuserok, MaxAuthTries, MaxSessions, PubkeyAuthentication, AuthorizedKeysCommand, AuthorizedKeysCommandRunAs, PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, RequiredAuthentications1, RequiredAuthentications2, RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, X11Forwarding and X11UseLocalHost. This configuration should therefore work. Version-Release number of selected component (if applicable): # rpm -qa | grep openssh openssh-5.3p1-81.el6.x86_64 openssh-clients-5.3p1-81.el6.x86_64 openssh-server-5.3p1-81.el6.x86_64 --- Additional comment from netwiz.au on 2012-10-25 02:21:05 EDT --- As a side note, I have also tried matching the single address and using "RequiredAuthentications2 publickey", however I still get a rejection stating further auth was required (password). Config also tested: RequiredAuthentications2 publickey,password Match Address 1.2.3.4/32 X11Forwarding no AllowTcpForwarding no RequiredAuthentications2 publickey
This is also present on F18 using: # rpm -qa | grep openssh openssh-6.1p1-2.fc18.x86_64 openssh-clients-6.1p1-2.fc18.x86_64 openssh-server-6.1p1-2.fc18.x86_64
While I'm not 100% sure of the syntax here, I've also tried the following config: Match Address 203.56.246.89 X11Forwarding no AllowTcpForwarding no RequiredAuthentications2 publickey Match Address * X11Forwarding no AllowTcpForwarding no RequiredAuthentications2 publickey,password This has no effect any anyone can log in via public key only.
Further to this.... If I disable all auth in the main config, then have the following: PasswordAuthentication no PubkeyAuthentication no Match Address 203.56.246.89 PubkeyAuthentication yes RequiredAuthentications2 publickey Match Address * PasswordAuthentication yes PubkeyAuthentication yes RequiredAuthentications2 publickey,password This gives me the result of: # /etc/init.d/sshd restart Stopping sshd: [FAILED] Starting sshd: /etc/ssh/sshd_config line 147: Invalid required authentication list Line 147 is the first RequiredAuthentications2 statment. Interestingly, the docs show that PasswordAuthentication and PubkeyAuthentication ARE supported keywords in a match block. ie: Only a subset of keywords may be used on the lines following a Match keyword. .... PubkeyAuthentication .... PasswordAuthentication ..... RequiredAuthentications1, RequiredAuthentications2 .... etc Maybe its something more than just the RequiredAuthentications2 keyword being broken?
Full reproduction steps: 1) Take a working SSH server config with working public key auth. 2) Edit /etc/ssh/sshd_config and place the following near the Authentication block: RequiredAuthentications2 publickey,password 3) Save and restart sshd. Verify that you get prompted for a password after successful public key auth. Results should be something like: $ ssh root.here Authenticated with partial success. root.here's password: Last login: Tue Nov 6 16:47:35 2012 from your.last.login.host [root@test ~]# 4) Add a Match block to allow auth with ONLY publickey authentication to /etc/ssh/sshd_config. Replace xxx with the IP address of your machine: Match Address xxx.xxx.xxx.xxx RequiredAuthentications2 publickey 5) Save and restart sshd. Verify that you are still prompted for a password - even though publickey authentication was successful. $ ssh root.here Authenticated with partial success. root.here's password: At this point, login should proceed with ONLY a public key from the host listed. This is not currently the case.
Thanks for the report and reproducer. I'm able to reproduce this issue and I'm working on a fix. I'd like also to adopt an upstream version of the "required authentication" feature so that it should be possible to use fixed RequiredAuthentications2 method or AuthenticationMethods from the upstream. I will also add warning that "RequiredAuthentications2" will be obsoleted in next fedora release since it's a dead end and the upstream has used another approach.
There are two bugs. A RequiredAuthentications2 value is not stored in a Match block. And even if it was stored, it wouldn't be copied from Match sub config to main config. Both are fixed in this [1] scratch build. Please test if this build fixes your issue. [1] http://plautrba.fedorapeople.org/openssh/872608/
Hi Petr, I don't have any operating Fedora 18 systems to play with at the moment - my previous testing was a temporary VM - however I have *plenty* of EL6.3 systems to play with. Is it possible to get an el6 build of this to test as well? Maybe attached to #869903? - as that is the original that I cloned for this bug against F18.
I just tested these on a Fedora 18 install. It now works correctly. Tested using the following config: RequiredAuthentications2 publickey,password Match Address 10.1.2.3/32 X11Forwarding no AllowTcpForwarding no RequiredAuthentications2 publickey Connections from that host correctly use publickey only - other hosts use BOTH publickey and password as expected.
http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?h=f18&id=20d541d7285f34dca1958bb9b1dbc78f81c9738e
openssh-5.9p1-28.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/openssh-5.9p1-28.fc17
Package openssh-5.9p1-28.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-5.9p1-28.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19252/openssh-5.9p1-28.fc17 then log in and leave karma (feedback).
openssh-6.1p1-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/openssh-6.1p1-3.fc18
openssh-6.1p1-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
openssh-5.9p1-28.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.