Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

Match vs. ChallengeResponseAuthentication?

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


pepper at cbio

Oct 29, 2009, 9:01 AM

Post #1 of 5 (4056 views)
Permalink
Match vs. ChallengeResponseAuthentication?

Hello,

We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work.

Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be supported in this context?

Plan B is to run 2 different sshd servers on different ports, and direct users to the appropriate one via iptables, but that's much more complicated.

Thanks,

Chris

--
Chris Pepper: <http://cbio.mskcc.org/>
<http://www.extrapepperoni.com/>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Oct 29, 2009, 5:15 PM

Post #2 of 5 (3959 views)
Permalink
Re: Match vs. ChallengeResponseAuthentication? [In reply to]

On Thu, 29 Oct 2009, Chris Pepper wrote:

> Hello,
>
> We'd like to allow passwords only from the local network, and allow
> public key auth from on-campus or off-campus. The server runs SuSE Linux, and
> we might do the same on RHEL/CentOS & Mac OS X if we can get it to work.
>
> Unfortunately, Match allows PasswordAuthentication but not
> ChallengeResponseAuthentication. Is there any reason
> ChallengeResponseAuthentication cannot be supported in this context?

If you are using SSH protocol 2 only, then you can turn off
KbdInteractiveAuthentication inside match. Otherwise, try this diff:


Index: servconf.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.196
diff -u -p -r1.196 servconf.c
--- servconf.c 8 Oct 2009 14:03:41 -0000 1.196
+++ servconf.c 30 Oct 2009 00:13:25 -0000
@@ -333,8 +333,8 @@ static struct {
#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
- { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
- { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+ { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL },
+ { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_ALL }, /* alias */
#ifdef JPAKE
{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
#else
@@ -1347,6 +1347,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(kerberos_authentication);
M_CP_INTOPT(hostbased_authentication);
M_CP_INTOPT(kbd_interactive_authentication);
+ M_CP_INTOPT(challenge_response_authentication);
M_CP_INTOPT(zero_knowledge_password_authentication);
M_CP_INTOPT(permit_root_login);
M_CP_INTOPT(permit_empty_passwd);
Index: sshd_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.109
diff -u -p -r1.109 sshd_config.5
--- sshd_config.5 8 Oct 2009 20:42:13 -0000 1.109
+++ sshd_config.5 30 Oct 2009 00:13:25 -0000
@@ -602,6 +602,7 @@ Available keywords are
.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
.Cm Banner ,
+.Cm ChallengeResponseAuthentication ,
.Cm ChrootDirectory ,
.Cm ForceCommand ,
.Cm GatewayPorts ,

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


dtucker at zip

Oct 29, 2009, 5:55 PM

Post #3 of 5 (3952 views)
Permalink
Re: Match vs. ChallengeResponseAuthentication? [In reply to]

Damien Miller wrote:
> On Thu, 29 Oct 2009, Chris Pepper wrote:
>
>> Hello,
>>
>> We'd like to allow passwords only from the local network, and allow
>> public key auth from on-campus or off-campus. The server runs SuSE Linux, and
>> we might do the same on RHEL/CentOS & Mac OS X if we can get it to work.
>>
>> Unfortunately, Match allows PasswordAuthentication but not
>> ChallengeResponseAuthentication. Is there any reason
>> ChallengeResponseAuthentication cannot be supported in this context?
>
> If you are using SSH protocol 2 only, then you can turn off
> KbdInteractiveAuthentication inside match. Otherwise, try this diff:

Conversely, if you're willing to require SSHv2 clients for CR-based
authentication you can turn off ChallengeResponseAuthentication globally
and enable KbdInteractiveAuthentication for v2 clients your local
networks, eg


ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
Match Address 10.0.0.0/8
KbdInteractiveAuthentication yes


Originally ChallengeResponseAuthentication was omitted because it has
slightly odd semantics. In sshd.c:

/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);

/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;

If we're going to enable it we need to think through the use cases and
make sure it adheres the principle of least surprise :-)

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Oct 29, 2009, 6:13 PM

Post #4 of 5 (3950 views)
Permalink
Re: Match vs. ChallengeResponseAuthentication? [In reply to]

On Fri, 30 Oct 2009, Darren Tucker wrote:

> ChallengeResponseAuthentication no
> KbdInteractiveAuthentication no
> Match Address 10.0.0.0/8
> KbdInteractiveAuthentication yes
>
>
> Originally ChallengeResponseAuthentication was omitted because it has slightly
> odd semantics. In sshd.c:
>
> /* Fill in default values for those options not explicitly set. */
> fill_default_server_options(&options);
>
> /* challenge-response is implemented via keyboard interactive */
> if (options.challenge_response_authentication)
> options.kbd_interactive_authentication = 1;
>
> If we're going to enable it we need to think through the use cases and make
> sure it adheres the principle of least surprise :-)

Good point. I just noticed that we don't document
KbdInteractiveAuthentication in sshd_config(5). Maybe we should deprecate
it by making it a pointer to ChallengeResponseAutentication like
SkeyAuthentication already is?

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


pepper at cbio

Nov 2, 2009, 2:14 PM

Post #5 of 5 (3915 views)
Permalink
Re: Match vs. ChallengeResponseAuthentication? [In reply to]

Damien Miller wrote:
> On Fri, 30 Oct 2009, Darren Tucker wrote:
>
>> ChallengeResponseAuthentication no
>> KbdInteractiveAuthentication no
>> Match Address 10.0.0.0/8
>> KbdInteractiveAuthentication yes
>>
>>
>> Originally ChallengeResponseAuthentication was omitted because it has slightly
>> odd semantics. In sshd.c:
>>
>> /* Fill in default values for those options not explicitly set. */
>> fill_default_server_options(&options);
>>
>> /* challenge-response is implemented via keyboard interactive */
>> if (options.challenge_response_authentication)
>> options.kbd_interactive_authentication = 1;
>>
>> If we're going to enable it we need to think through the use cases and make
>> sure it adheres the principle of least surprise :-)
>
> Good point. I just noticed that we don't document
> KbdInteractiveAuthentication in sshd_config(5). Maybe we should deprecate
> it by making it a pointer to ChallengeResponseAutentication like
> SkeyAuthentication already is?

We don't allow v1, but I got it working on CentOS through iptables, so didn't have to build a custom sshd v5. Now I get to fight with SuSE's insane iptables implementation.

Please tell me if I said anything bogus (especially as I didn't actually test the Match configuration)!

http://www.extrapepperoni.com/post/2009/11/Conditional-%60ssh%60-Configuration%3A-%60iptables%60-%60sshd%60

Thanks much,

Chris Pepper

--
Chris Pepper: <http://cbio.mskcc.org/>
<http://www.extrapepperoni.com/>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.