1.  Home
  2. MIDRANGE-L
  3. September 2024

Re: sftp using both ssh key and password authentication

On Thu, Sep 5, 2024 at 11:02 AM Patrik Schindler <poc@xxxxxxxxxx> wrote:

Am 05.09.2024 um 16:44 schrieb Jay Vaughn <jeffersonvaughn@xxxxxxxxx>:

that's what I thought Patrick... and this customer has MANY vendors they work with in the product and every vendor is either SSH Key validated OR password... but now they have a vendor that requires both.

So yes, both authentication methods have to happen.

I'm not aware that is is even possible. To my current knowledge, ssh authentication does not "stack". Once one method succeeds, the rest is skipped.

A lot of people seem to think that, so it was probably true at some point.

But from what I can tell, it is currently possible to require both.

On the server side, the AuthenticationMethods keyword can accept
comma-separated lists of methods that are ANDed together:

https://man.openbsd.org/sshd_config#AuthenticationMethods

But it's not clear to me how the client would comply with that. The
PreferredAuthentications keyword specifies the *client's* preferred
fallback sequence:

https://man.openbsd.org/ssh_config#PreferredAuthentications

There doesn't seem to be anything on the client side that links two
authentication methods together for a single login. But you can
certainly specify multiple methods.

So, my naive guesses to try are:

1. Maybe don't use the PreferredAuthentications keyword at all (which
is one of the things Patrik implied). By default, it will try several.

2. Maybe use `PreferredAuthentications=any` (I am not sure this is
valid, but `any` can be specified for AuthenticationMethods on the
server).

3. Maybe the order matters. Like, maybe if the server needs the
password to come first, the client has to prefer password ahead of
publickey. This seems a bit far-fetched to me, especially since the
server can, in theory, specify that you need a public key, followed by
a password, followed by a second public key. So, if this is the case,
find out the specific order in which they're required by the server,
and use that on your PreferredAuthentications keyword.

So, for example, if the server needs the password first, as in

AuthenticationMethods password,publickey

then try

PreferredAuthentications=password,publickey

Bottom line: I'm confident it is possible for the server to require
both, and so there must be some way for the client to comply.

John Y.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.