Ssh – Different “RequiredAuthentications2” for sshd and sftp subsystem

pamsftpssh

we're currently using a 2factor authentication on our SSH servers, so we have "RequiredAuthentications2 publickey,keyboard-interactive" in our sshd_config (publickey for the key, keyboard-interactive is for the 2factor which is handled via PAM)

To make things easier for our devs, we want to disable the 2factor requirement for the sftp subsystem.

I've already searched for something like "Match subsystem sftp" (like the available 'Match Group " where i could define afterwards only "RequiredAuthentications2 publickey", but it seems that's not possible.

Another thing I had a look into was to check PAM, if there's a possibility to define a separate config for the sftp subsystem (it seems like that's not doable, the service for pam is always 'ssh') or if I could have something in my sshd pam conf like "auth [success=1 default=ignore] pam_succeed_if.so quiet subsystem in sftp"

Any hints? (beside setting up another sshd instance only for sftp with a different setting)

Best Answer

Rather than trying to loosen security with a group rule, I'd use the default security and tighten with group rules. Here's an example that requires 2factor authentication for users, but not sftp-users.

# Only these groups can connect
AllowGroups users sftp-users

Match Group users
    RequiredAuthenticatios2 publickey,keyboard-interactive

Match Group sftp-users 
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no

I prototyped this successfully on an Ubuntu system, my sshd_config man page specified AuthenticationMethods instead of the RequiredAuthenticatios1 and RequiredAuthenticatios2 in CentOS system man page. The equivalent line was

    AuthenticationMethods publickey,password
Related Topic