2502 – using AuthenticationMethods to require s/key and pam doesn't work

Bug 2502 - using AuthenticationMethods to require s/key and pam doesn't work

Summary: using AuthenticationMethods to require s/key and pam doesn't work

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	7.1p1
Hardware:	amd64 Linux

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_7_2
	Show dependency tree / graph

Reported:	2015-11-20 08:42 AEDT by Kevin Korb
Modified:	2016-08-02 10:41 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin Korb 2015-11-20 08:42:34 AEDT

If I put in sshd_config:
UsePAM yes
AuthenticationMethods keyboard-interactive:skey,keyboard-interactive:pam
ChallengeResponseAuthentication yes
(PasswordAuthentication yes or no doesn't matter)

I would expect to be prompted for an s/key challenge then whatever is supported by pam.  The intention is to make pam require google authenticator but I have tried this with Gentoo's stock password setup too.

When I connect I get partial authentication success from s/key but then the server hangs up on me.  When I put sshd in debug mode I get this:
...
debug1: authentication methods list 0: keyboard-interactive:skey,keyboard-interactive:pam
debug1: authentication methods list 0: keyboard-interactive:skey,keyboard-interactive:pam [preauth]
debug1: PAM: initializing for "kmk"
debug1: PAM: setting PAM_RHOST to "172.22.100.17"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user kmk service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=kmk devs= [preauth]
debug1: kbdint_alloc: devices 'pam,skey' [preauth]
debug1: auth2_challenge_start: trying authentication method 'skey' [preauth]
Postponed keyboard-interactive for kmk from 172.22.100.17 port 56339 ssh2 [preauth]
auth2_update_methods_lists: method not in AuthenticationMethods
debug1: do_cleanup
debug1: PAM: cleanup
debug1: Killing privsep child 1596

I see in the source above that error message:
/* This should not happen, but would be bad if it did */
So maybe this is an unhandled use case?

Comment 1 Kevin Korb 2015-11-20 10:13:09 AEDT

I worked with feandil_ in IRC on this issue and he came up with this patch which appears to solve my problem:
--- a/monitor.c
+++ b/monitor.c
@@ -1044,7 +1044,8 @@ mm_answer_skeyrespond(int sock, Buffer *m)
        debug3("%s: sending authenticated: %d", __func__, authok);
        mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);

-       auth_method = "skey";
+       auth_method = "keyboard-interactive";
+       auth_submethod = "skey";

        return (authok != 0);
 }

Also, we discovered that the problem doesn't happen if UsePrivilegeSeparation is off.

Comment 2 Damien Miller 2015-11-20 12:47:50 AEDT

Patch applied: 

https://anongit.mindrot.org/openssh.git/commit/?id=ac9473580dcd401f8281305af98635cdaae9bf96

This will be in OpenSSH 7.2 - thanks!

Comment 3 Kevin Korb 2015-11-21 05:45:23 AEDT

Excellent.  Thank you.

Comment 4 Damien Miller 2016-08-02 10:41:53 AEST

Close all resolved bugs after 7.3p1 release