NixOS sshd_config and/or PAM(?) breaks this config

[bjornfor]

Issue description

SSH supports denying password authentication except for clients on the local network with a sshd_config snippet like this[1]:

PasswordAuthentication no

Match address 192.0.2.0/24
    PasswordAuthentication yes

This works on e.g. Ubuntu (and I presume all major distros). However, it doesn't work on NixOS.

Steps to reproduce

Server configuration.nix snippet:

  services.openssh = {
    enable = true;
    passwordAuthentication = false;
    extraConfig = ''
      # LogLevel DEBUG3

      # Allow password authentication on local network
      Match Address 192.168.1.0/24
          PasswordAuthentication yes
    '';
  };

Connecting with a client, forcing password authentication:

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no $server

Give it your password, but you'll still be denied access.

Technical details

• System: NixOS 16.03 / 16.09

[1] http://askubuntu.com/questions/101670/how-can-i-allow-ssh-password-authentication-from-only-certain-ip-addresses

[domenkozar]

Check the generated openssh config file, maybe your directive is being overriden.

[bjornfor]

I know the Match directive works, because without it I'm not allowed to type my password (as expected):

$ ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no $server
Permission denied (publickey,keyboard-interactive).

[nlvw]

Any update on this? I'm running across the same problem. From what I can tell OpenSSH is allowing the password auth but something is causing the actual password authentication to fail.

[bjornfor]

No update here :-/ How to debug this further?

[andymandias]

Still running into the same issue now. What I have had success with is setting

challengeResponseAuthentication = false;
passwordAuthentication = true;

then using Match to set PasswordAuthentication No. I'm not sure how feasible this is when using Address to match, but it's fairly straightforward when using LocalPort for matching.

[kwohlfahrt]

I think the reason for this might be here in the openssh module:

    security.pam.services.sshd =
      { startSession = true;
        showMotd = true;
        unixAuth = cfg.passwordAuthentication;
      };

I don't know how usePAM and PasswordAuthentication interact, but it definitely breaks my usual configuration of:

UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication yes

In this case, I am not prompted for my password through PAM as expected, since the PAM module has had unix auth disabled.

[stale[bot]]

I marked this as stale due to inactivity. → More info

[Lqp1]

I'm suffering from this bug too; my config is to disable both keyboard-interactive and passwordAuthentication globally, but setup passwordAuthentication for a particular group (along with other settings) using Match group [....].

One of the workaround would be to use UsePAM no globally (I personally don't rely on it), which is not possible currently, as it's hardcoded. Wdyt about having an option in sshd nixpkg to allow to disable this? Adding UsePAM no using extraConfig does not work as only first element on config file is taken into account apparently.

EDIT: just saw why it's hardcoded... https://github.com/NixOS/nixpkgs/commit/ae74b0ae587df0750843da2d7cfc6e1e24e63bf2 so best bet is to change PAM config then

[deliciouslytyped]

I'm messing around with trying to figure out some PAM stuff, and if there's any way to debug it, in https://github.com/NixOS/nixpkgs/issues/119710

[deliciouslytyped]

https://github.com/openssh/openssh-portable/blob/master/auth-pam.c and https://github.com/openssh/openssh-portable/blob/master/auth-passwd.c show no immediately visible reasons for options.permit_empty_passwd to fail, and besides, at least in the case of PAM, PAM is the one that delivers the auth failure message anyway, so the auth shouldn't be failing due to SSH anyway, modulo flags it sets.

[neosimsim]

I ran across the same problem today.