Ssh – Best way to restrict some SSH users to publickey authentication only (disable password authentication)

configurationmacmac-osxssh

I'm running Mac OS X Server.app on Yosemite and I have SSH enabled for users with the default settings in /etc/sshd_config (publickey and password auth enabled by default). However, I need to restrict the git local user to have publickey access ONLY via SSH.

Full disclosure, the Server.app enables some additional Kerberos and GSSAPI options (although I'm not 100% sure how these effect my questions below):

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange no

/etc/sshd_config says the following:

# To disable tunneled clear text passwords both PasswordAuthentication and
# ChallengeResponseAuthentication must be set to "no".

However, ChallengeResponseAuthentication is not allowed in match statements, so I tried just disabling password authentication only:

Match User git
      PasswordAuthentication no

This does not work–I was still able to log in with username/password to git@my.server 🙁

However, adding KbdInteractiveAuthentication no seemed to work correctly:

Match User git
      PasswordAuthentication no
      KbdInteractiveAuthentication no

Now I get Permission denied (publickey,gssapi-keyex,gssapi-with-mic) when trying to log in without a public key. This seems to indicate that there are still methods besides publickey which will allow login from the git user (i.e. gssapi-keyex and gssapi-with-mic)

It seems like a better approach is to simply restrict the authentication method to publickey:

Match User git
    AuthenticationMethods publickey

This gives the response `Permission denied (publickey).

Questions:

What's the difference between ChallengeResponseAuthentication and
KbdInteractiveAuthentication? Why is
KbdInteractiveAuthentication allowed in match statements but not
ChallengeResponseAuthentication?
Is there any downside/security concern with the AuthenticationMethods publickey approach?
(Bonus if you can help me understand gssapi-keyex/gssapi-with-mic and how they relate to the GSSAPI/Kerberos options that were enabled)

Best Answer

There's a nice summary of the difference between ChallengeResponseAuthentication and KbdInteractiveAuthentication at http://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthentication-vs-challengeresponseauthentication.html - summary is that ChallengeResponse often ends up just asking for password (but insists on it being supplied interactively).

KbdInteractiveAuthentication and ChallengeResponseAuthentication are different things. It's just that ChallengeResponseAuthentication can end up just prompting for a password in simple cases.

ChallengeResponseAuthentication is a global setting and can't be specified within a Match clause - see the sshd_config man page for details.

Explicitly specifying AuthenticationMethods publickey for the git user should work fine and is better than than disabling the ones you don't want (as the list could change).

The gssapi options come into play if you're working in a Kerberos environment (such as an Active Directory domain).

Related Solutions

Ubuntu SSH Login – Permission Denied, Please Try Again

Are you certain that the user account you're attempting to access is correctly configured? If you log in as root on the system, can you su to the user account?

# su - username

What do you see in your logs after a failed connection attempt? On many systems, sshd will log to something /var/log/secure or /var/log/auth.log. Also, I note that you have PasswordAuthentication enabled but ChallengeResponseAuthentication disabled. Do you see the same behavior if you enable ChallengeResponseAuthentication?

Here are some general diagnostic steps to use when you have ssh problems:

Enable verbose diagnostics in ssh:
```
ssh -v host.example.com
```
This will cause the client to output a variety of diagnostic messages as it negotiates the connection. This will often provide a clue to the problem.
Run the server in debug mode.

On your server, stop sshd, then run it from the command line like this:
```
/usr/sbin/sshd -d
```
This will produce verbose debug logging on stderr that will very often contain useful information.

If neither of these helps you figure out what's going on, would you add the output to your question?

SSH key exchange is not working

Try ssh -v this should provide additional information about the authentication process.

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive,hostbased
debug1: Offering RSA public key: /home/nce/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277

Just to confirm your steps: You created a keypair via ssh-keygen Then you uploaded the key at .ssh/id_rsa.pub to the server(B) and appended it to the .ssh/authorized_keys for the user1.

On server(A) you connect via ssh user1@host? You might try ssh -o PreferredAuthentications=publickey user1@host

And you could provide a special/different identityfile by ssh -i ~/.ssh/serverB/id_rsa user1@host

Best Answer

Related Solutions

Ubuntu SSH Login – Permission Denied, Please Try Again

SSH key exchange is not working

Related Topic