what you will see is the current state of a problem I am trying to solve.
I restarted sshd before filling the body this question.
What I am trying to do:
- I need to use ssh keys with a yubikey combined to secure authentication to SSH.
- I need to disable clear text passwords.
Relevant parts of my /etc/ssh/sshd_config look like this:
ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
My /etc/pam.d/sshd looks like this:
# PAM configuration for the Secure Shell service
auth required pam_yubico.so id=16 debug authfile=/etc/authorized_yubikeys
Standard Un*x authentication.
@include common-auth
Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
Uncomment and edit /etc/security/access.conf if you need to set complex
access limits that are hard to express in sshd_config.
account required pam_access.so
Standard Un*x authorization.
@include common-account
SELinux needs to be the first session rule. This ensures that any
lingering context has been cleared. Without this it is possible that a
module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
Set the loginuid process attribute.
session required pam_loginuid.so
Create a new session keyring.
session optional pam_keyinit.so force revoke
Standard Un*x session setup and teardown.
@include common-session
Print the message of the day upon successful login.
This includes a dynamically generated part from /run/motd.dynamic
and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
Read environment variables from /etc/environment and
/etc/security/pam_env.conf.
session required pam_env.so # [1]
In Debian 4.0 (etch), locale-related environment variables were moved to
/etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
SELinux needs to intervene at login time to ensure that the process starts
in the proper default security context. Only sessions which are intended
to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
Standard Un*x password updating.
@include common-password
The only row added to /etc/pam.d/sshd is:
auth required pam_yubico.so id=16 debug authfile=/etc/authorized_yubikeys
Result:
$ ssh test -v
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/dev/.ssh/config
debug1: /home/dev/.ssh/config line 1: Applying options for *
debug1: /home/dev/.ssh/config line 5: Applying options for dev
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 9: Applying options for *
debug1: Connecting to test [192.168.1.2] port 22.
debug1: Connection established.
debug1: identity file /home/dev/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/dev/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000
debug1: Authenticating to test:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:K2vxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Warning: Permanently added 'test,192.168.1.2' (ECDSA) to the list of known hosts.
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:mAExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /home/dev/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
YubiKey for `admin':
Password
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to test ([192.168.1.2]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-112-generic x86_64)
admin@test:~$
The login works fine, but can you see the line **Password** above? It shouldn't be asking for it (as it's disabled in the sshd_config) and I don't understand why :/
