we're currently using a 2factor authentication on our SSH servers, so we have "RequiredAuthentications2 publickey,keyboard-interactive" in our sshd_config (publickey for the key, keyboard-interactive is for the 2factor which is handled via PAM)
To make things easier for our devs, we want to disable the 2factor requirement for the sftp subsystem.
I've already searched for something like "Match subsystem sftp" (like the available 'Match Group " where i could define afterwards only "RequiredAuthentications2 publickey", but it seems that's not possible.
Another thing I had a look into was to check PAM, if there's a possibility to define a separate config for the sftp subsystem (it seems like that's not doable, the service for pam is always 'ssh') or if I could have something in my sshd pam conf like "auth [success=1 default=ignore] pam_succeed_if.so quiet subsystem in sftp"
Any hints? (beside setting up another sshd instance only for sftp with a different setting)
Best Answer
Rather than trying to loosen security with a group rule, I'd use the default security and tighten with group rules. Here's an example that requires 2factor authentication for
users
, but notsftp-users
.I prototyped this successfully on an Ubuntu system, my sshd_config man page specified
AuthenticationMethods
instead of theRequiredAuthenticatios1
andRequiredAuthenticatios2
in CentOS system man page. The equivalent line was