Different "RequiredAuthentications2" for sshd and sftp subsystem
we're currently using a 2factor authentication on our SSH servers, so we have "RequiredAuthentications2 publickey,keyboard-interactive" in our sshd_config (publickey for the key, keyboard-interactive is for the 2factor which is handled via PAM)
To make things easier for our devs, we want to disable the 2factor requirement for the sftp subsystem.
I've already searched for something like "Match subsystem sftp" (like the available 'Match Group " where i could define afterwards only "RequiredAuthentications2 publickey", but it seems that's not possible.
Another thing I had a look into was to check PAM, if there's a possibility to define a separate config for the sftp subsystem (it seems like that's not doable, the service for pam is always 'ssh') or if I could have something in my sshd pam conf like "auth [success=1 default=ignore] pam_succeed_if.so quiet subsystem in sftp"
Any hints? (beside setting up another sshd instance only for sftp with a different setting)
Solution 1:
Rather than trying to loosen security with a group rule, I'd use the default security and tighten with group rules. Here's an example that requires 2factor authentication for users
, but not sftp-users
.
# Only these groups can connect
AllowGroups users sftp-users
Match Group users
RequiredAuthenticatios2 publickey,keyboard-interactive
Match Group sftp-users
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
I prototyped this successfully on an Ubuntu system, my sshd_config man page specified AuthenticationMethods
instead of the RequiredAuthenticatios1
and RequiredAuthenticatios2
in CentOS system man page. The equivalent line was
AuthenticationMethods publickey,password