I'm running Mac OS X Server.app on Yosemite and I have SSH enabled for users with the default settings in /etc/sshd_config
(publickey and password auth enabled by default). However, I need to restrict the git
local user to have publickey access ONLY via SSH.
Full disclosure, the Server.app enables some additional Kerberos and GSSAPI options (although I'm not 100% sure how these effect my questions below):
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange no
/etc/sshd_config
says the following:
# To disable tunneled clear text passwords both PasswordAuthentication and
# ChallengeResponseAuthentication must be set to "no".
However, ChallengeResponseAuthentication
is not allowed in match statements, so I tried just disabling password authentication only:
Match User git
PasswordAuthentication no
This does not work–I was still able to log in with username/password to git@my.server 🙁
However, adding KbdInteractiveAuthentication no
seemed to work correctly:
Match User git
PasswordAuthentication no
KbdInteractiveAuthentication no
Now I get Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
when trying to log in without a public key. This seems to indicate that there are still methods besides publickey which will allow login from the git
user (i.e. gssapi-keyex
and gssapi-with-mic
)
It seems like a better approach is to simply restrict the authentication method to publickey
:
Match User git
AuthenticationMethods publickey
This gives the response `Permission denied (publickey).
Questions:
- What's the difference between
ChallengeResponseAuthentication
and
KbdInteractiveAuthentication
? Why is
KbdInteractiveAuthentication
allowed in match statements but not
ChallengeResponseAuthentication
? - Is there any downside/security concern with the
AuthenticationMethods publickey
approach? - (Bonus if you can help me understand
gssapi-keyex
/gssapi-with-mic
and how they relate to the GSSAPI/Kerberos options that were enabled)
Best Answer
There's a nice summary of the difference between
ChallengeResponseAuthentication
andKbdInteractiveAuthentication
at http://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthentication-vs-challengeresponseauthentication.html - summary is that ChallengeResponse often ends up just asking for password (but insists on it being supplied interactively).KbdInteractiveAuthentication
andChallengeResponseAuthentication
are different things. It's just thatChallengeResponseAuthentication
can end up just prompting for a password in simple cases.ChallengeResponseAuthentication
is a global setting and can't be specified within aMatch
clause - see thesshd_config
man page for details.Explicitly specifying
AuthenticationMethods publickey
for thegit
user should work fine and is better than than disabling the ones you don't want (as the list could change).The
gssapi
options come into play if you're working in aKerberos
environment (such as an Active Directory domain).