Bug 3257 - PasswordAuthentication is no, but still accepts password
Summary: PasswordAuthentication is no, but still accepts password
Status: CLOSED INVALID
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 8.4p1
Hardware: Other Linux
: P5 major
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-31 15:57 AEDT by gqqnb2005
Modified: 2021-03-04 09:54 AEDT (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description gqqnb2005 2021-01-31 15:57:23 AEDT
$ sudo sshd -d -T -C user=gqqnbig | grep passwordauthentication
debug1: sshd version OpenSSH_8.4, OpenSSL 1.1.1f  31 Mar 2020
debug1: user qiqig matched group list certificateLoginOnly at line 2

sshd tells if gqqnbig logs in, passwordauthentication is no.


Then I use psftp to log in with password. It succeeds.

> psftp qiqig@172.25.9.11
Using username "gqqnbig".
gqqnbig@172.25.9.11's password:
Remote working directory is /home/gqqnbig


I use default /etc/ssh/sshd_config, but I add certificateLoginOnly.conf in  sshd_config.d.

$ cat /etc/ssh/sshd_config.d/certificateLoginOnly.conf
# Example of overriding settings on a per-user basis
Match Group certificateLoginOnly
     PasswordAuthentication  no


If I move the Match block to sshd_config, I can no longer use password to log in.
Comment 1 Damien Miller 2021-02-01 10:16:39 AEDT
I'm unable to replicate this. Could you please attached a debug log from sshd? (Try "/path/to/sshd -ddd")
Comment 2 Darren Tucker 2021-02-01 11:03:59 AEDT
(In reply to gqqnb2005 from comment #0)
[...]
> I use default /etc/ssh/sshd_config, but I add
> certificateLoginOnly.conf in  sshd_config.d.

The default sshd_config supplied by the OpenSSH team does not contain any Include directives.

Showing the relevant parts of the configs would be useful, in particular any instances of PasswordAuthentication in the main config, any other Include statements and whether or not the included files contain PasswordAuthentication directives.
Comment 3 gqqnb2005 2021-02-01 18:11:23 AEDT
It's my bad. I have two sshd, one is 8.4 and the other is 8.2.
Comment 4 Damien Miller 2021-03-04 09:54:01 AEDT
close bugs that were resolved in OpenSSH 8.5 release cycle