Match user not working

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I would like , for specific users, to hav  them login via keys only,
never by passowrd. I build a new version of ssh to do thias as the
version on sles 9 is too old.  The server sees and recognises the
match (see partial logs below) , but does allow password login even
though the match correctly says passwordauthentication no. This is on
a sles9 server with openssh 4.7p1.

Can anyone spot an issue?

Server 4.7 :  Local version string SSH-2.0-OpenSSH_4.7
on sles 9 system
running on port 77 sshd -ddd -p 77 I get verbose output

When I use in sshd_config

Match User xxxx or match user xxx I get on the ssh server upon login

debug3: checking match for 'user leonardz' user leonardz host cn-r1-4
debug1: user leonardz matched 'User leonardz' at line 124
debug3: match found
debug3: reprocess config:125 setting RSAAuthentication yes
debug3: reprocess config:126 setting passwordauthentication no

after being prompted for a paassword at the client end I see:

debug1: do_pam_account: called
debug3: mm_request_send entering: type 47
Accepted keyboard-interactive/pam for leonardz from port
56991 ssh2
debug1: monitor_child_preauth: leonardz has been authenticated by
privileged process
debug3: mm_get_keystate: Waiting for new keys

and I am logged in by password.

Re: Match user not working

Quoted text here. Click to load it
Quoted text here. Click to load it
Quoted text here. Click to load it

No, you're logged in by keyboard-interactive (via PAM).

Depending on what PAM is configured to do, keyboard-interactive may
or may not be a password (eg it could be a challenge/response token)
but sshd has no way to tell.  There's a warning to this effect in the
sshd_config(5) man page:

      Because PAM challenge-response authentication usually serves an
      equivalent role to password authentication, you should disable
      either PasswordAuthentication or ChallengeResponseAuthentication.

Unfortunately (for reasons of backward compatibility) you can't
set ChallengeResponseAuthentication in a Match block but you can set
KbdInteractiveAuthentication, which is the Protocol 2 method.  To prevent
your user from using Protocol 1 challenge-response, what you want to
do is:

ChallengeResponseAuthentication no
KbdInteractiveAuthentication yes
Match user whatever
    KbdInteractiveAuthentication no
    PasswordAuthentication no

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline