Discussion:
Support for ChallengeResponseAuthentication in Match section
(too old to reply)
Alexander Afonyashin
2015-12-11 08:13:59 UTC
Permalink
Hi,

I'm using 2-factor authentication (pubkey+googe_authenticator) and
have an issue with rsync. It's configured to use pubkey to
authenticate to server so when google_authentication is bypassed by
not creating .google_authenticator file for particular user (thanks to
nullok option in PAM) it still sends to stderr "Authenticated with
partial success." message although it succeeded.

So idea is simple: disable 2-factor authentication for particular user/network.

Regards,
Alexander
Nico Kadel-Garcia
2015-12-12 04:37:08 UTC
Permalink
On Fri, Dec 11, 2015 at 3:13 AM, Alexander Afonyashin
Post by Alexander Afonyashin
Hi,
I'm using 2-factor authentication (pubkey+googe_authenticator) and
have an issue with rsync. It's configured to use pubkey to
authenticate to server so when google_authentication is bypassed by
not creating .google_authenticator file for particular user (thanks to
nullok option in PAM) it still sends to stderr "Authenticated with
partial success." message although it succeeded.
So idea is simple: disable 2-factor authentication for particular user/network.
Regards,
Alexander
Put that access on a different port, with a different SSH daemon, is
the fastest solution.
Alexander Afonyashin
2015-12-14 06:34:39 UTC
Permalink
Hi Nico,

Thanks for the idea.

Regards,
Alexander
Post by Nico Kadel-Garcia
On Fri, Dec 11, 2015 at 3:13 AM, Alexander Afonyashin
Post by Alexander Afonyashin
Hi,
I'm using 2-factor authentication (pubkey+googe_authenticator) and
have an issue with rsync. It's configured to use pubkey to
authenticate to server so when google_authentication is bypassed by
not creating .google_authenticator file for particular user (thanks to
nullok option in PAM) it still sends to stderr "Authenticated with
partial success." message although it succeeded.
So idea is simple: disable 2-factor authentication for particular user/network.
Regards,
Alexander
Put that access on a different port, with a different SSH daemon, is
the fastest solution.
Iain Morgan
2015-12-14 19:44:16 UTC
Permalink
Post by Alexander Afonyashin
Hi,
I'm using 2-factor authentication (pubkey+googe_authenticator) and
have an issue with rsync. It's configured to use pubkey to
authenticate to server so when google_authentication is bypassed by
not creating .google_authenticator file for particular user (thanks to
nullok option in PAM) it still sends to stderr "Authenticated with
partial success." message although it succeeded.
So idea is simple: disable 2-factor authentication for particular user/network.
Try KbdInteractiveAuthentication (which is supported in Match blocks)
instead of ChallengeResponseAuthentication.
--
Iain Morgan
Alexander Afonyashin
2015-12-15 13:41:49 UTC
Permalink
Hi Iain,

Unfortunately it leads to "no authentication methods enabled" when is used.

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Match User backup
KbdInteractiveAuthentication no

Ssh-ing to this config under user root:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ***@work
debug1: Server accepts key: pkalg ssh-rsa blen 277
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Verification code:

Ssh-ing to this config under user backup:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
Received disconnect from X.X.X.X: 2: no authentication methods enabled

Regards,
Alexander
Post by Iain Morgan
Post by Alexander Afonyashin
Hi,
I'm using 2-factor authentication (pubkey+googe_authenticator) and
have an issue with rsync. It's configured to use pubkey to
authenticate to server so when google_authentication is bypassed by
not creating .google_authenticator file for particular user (thanks to
nullok option in PAM) it still sends to stderr "Authenticated with
partial success." message although it succeeded.
So idea is simple: disable 2-factor authentication for particular user/network.
Try KbdInteractiveAuthentication (which is supported in Match blocks)
instead of ChallengeResponseAuthentication.
--
Iain Morgan
Alexander Afonyashin
2015-12-15 13:56:20 UTC
Permalink
Hi,

Finally got it working (user backup requires only pubkey to
authenticate, others - 2-way through PAM):

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Match User backup
AuthenticationMethods publickey

Regards,
Alexander

On Tue, Dec 15, 2015 at 4:41 PM, Alexander Afonyashin
Post by Alexander Afonyashin
Hi Iain,
Unfortunately it leads to "no authentication methods enabled" when is used.
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Match User backup
KbdInteractiveAuthentication no
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Server accepts key: pkalg ssh-rsa blen 277
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
Received disconnect from X.X.X.X: 2: no authentication methods enabled
Regards,
Alexander
Post by Iain Morgan
Post by Alexander Afonyashin
Hi,
I'm using 2-factor authentication (pubkey+googe_authenticator) and
have an issue with rsync. It's configured to use pubkey to
authenticate to server so when google_authentication is bypassed by
not creating .google_authenticator file for particular user (thanks to
nullok option in PAM) it still sends to stderr "Authenticated with
partial success." message although it succeeded.
So idea is simple: disable 2-factor authentication for particular user/network.
Try KbdInteractiveAuthentication (which is supported in Match blocks)
instead of ChallengeResponseAuthentication.
--
Iain Morgan
Loading...