NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

ngyurov's avatar
ngyurov
Aspirant
Jul 26, 2014

OpenSSH >= 6.2 for support of AuthenticationMethods

OpenSSH 6.2 introduced a new keyword - AuthenticationMethods. For more info :arrow: http://lwn.net/Articles/544640/

From an OpenBSD 5.5 sshd_config man page:
AuthenticationMethods
Specifies the authentication methods that must be successfully
completed for a user to be granted access. This option must be
followed by one or more comma-separated lists of authentication
method names. Successful authentication requires completion of
every method in at least one of these lists.

For example, an argument of ``publickey,password
publickey,keyboard-interactive'' would require the user to
complete public key authentication, followed by either password
or keyboard interactive authentication. Only methods that are
next in one or more lists are offered at each stage, so for this
example, it would not be possible to attempt password or
keyboard-interactive authentication before public key.

For keyboard interactive authentication it is also possible to
restrict authentication to a specific device by appending a colon
followed by the device identifier ``bsdauth'', ``pam'', or
``skey'', depending on the server configuration. For example,
``keyboard-interactive:bsdauth'' would restrict keyboard
interactive authentication to the ``bsdauth'' device.

This option is only available for SSH protocol 2 and will yield a
fatal error if enabled if protocol 1 is also enabled. Note that
each authentication method listed should also be explicitly
enabled in the configuration. The default is not to require
multiple authentication; successful completion of a single
authentication method is sufficient.

We're actually running kinda late:
    OpenBSD 5.5 :arrow: OpenSSH_6.6.1
    Gentoo (synced to mainstream) :arrow: OpenSSH_6.6p1-hpn14v4
    ReadyNAS OS 6.1.8 (latest, as of time of writing) :arrow: OpenSSH_6.0p1 - :o :shock: :| :neener: :slap:


Can we get a little closer to the present here? 6.0 is hilarious.
Feature Request
Feature Request & Feedback

1 Reply

Replies have been turned off for this discussion
  • siigna's avatar
    siigna
    NETGEAR Employee Retired
    Aug 12, 2014
    ReadyNAS OS is based on Debian wheezy (current stable), which is shipping with v6.0p1 at the moment (https://packages.debian.org/wheezy/openssh-server).
    root@tatooine:~# ssh -V
    OpenSSH_6.0p1 Debian-4+deb7u1, OpenSSL 1.0.1e 11 Feb 2013

    Our version is pulled from the ReadyNAS repository, however the current version is available from the main Debian repo:
    root@tatooine:~# apt-cache policy openssh-server
    openssh-server:
      Installed: 1:6.0p1-4+deb7u1
      Candidate: 1:6.0p1-4+deb7u1
      Version table:
         1:6.0p1-4+deb7u2 0
            500 http://mirrors.kernel.org/debian/ wheezy/main armel Packages
     *** 1:6.0p1-4+deb7u1 0
            900 http://apt.readynas.com/packages/readynasos/ 6.1.8/main armel Packages
            100 /var/lib/dpkg/status

    Debian stable is not bleeding edge and never has been.
    I would hope OpenBSD-5.5(current) is running latest, since it is OpenBSD Secure Shell ;)
    Gentoo, rolling release, 'nough said.
    You should be able to update select packages relatively easily from backports (http://backports.debian.org/Instructions/).
    Current version of openssh-server in backports is v6.6p1 (https://packages.debian.org/wheezy-back ... ssh-server).
    root@tatooine:~# echo "deb http://http.debian.net/debian wheezy-backports main" >> /etc/apt/sources.list
    root@tatooine:~# apt-get update
    [...]
    Hit http://http.debian.net wheezy-backports Release.gpg
    Hit http://http.debian.net wheezy-backports Release
    Get:1 http://http.debian.net wheezy-backports/main armel Packages/DiffIndex [7,819 B]
    Fetched 7,819 B in 8s (918 B/s)
    Reading package lists... Done
    root@tatooine:~# apt-cache policy openssh-server
    openssh-server:
      Installed: 1:6.0p1-4+deb7u1
      Candidate: 1:6.0p1-4+deb7u1
      Version table:
         1:6.6p1-4~bpo70+1 0
            100 http://http.debian.net/debian/ wheezy-backports/main armel Packages
         1:6.0p1-4+deb7u2 0
            500 http://mirrors.kernel.org/debian/ wheezy/main armel Packages
     *** 1:6.0p1-4+deb7u1 0
            900 http://apt.readynas.com/packages/readynasos/ 6.1.8/main armel Packages
            100 /var/lib/dpkg/status
    root@tatooine:~# apt-get -t wheezy-backports install openssh-server
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following package was automatically installed and is no longer required:
      libswresample0
    Use 'apt-get autoremove' to remove it.
    The following extra packages will be installed:
      init-system-helpers libclass-isa-perl libgdbm3 libperl5.14 libswitch-perl openssh-client openssh-sftp-server perl perl-base
      perl-modules
    Suggested packages:
      ssh-askpass libpam-ssh keychain monkeysphere rssh molly-guard ufw perl-doc libterm-readline-gnu-perl libterm-readline-perl-perl
      make libpod-plainer-perl
    Recommended packages:
      xauth ncurses-term
    The following NEW packages will be installed:
      init-system-helpers libclass-isa-perl libgdbm3 libswitch-perl openssh-sftp-server perl perl-modules
    The following packages will be upgraded:
      libperl5.14 openssh-client openssh-server perl-base
    4 upgraded, 7 newly installed, 0 to remove and 44 not upgraded.
    Need to get 9,623 kB of archives.
    After this operation, 28.0 MB of additional disk space will be used.
    Do you want to continue [Y/n]?
    [...]
    root@tatooine:~# apt-cache policy openssh-server
    openssh-server:
      Installed: 1:6.6p1-4~bpo70+1
      Candidate: 1:6.6p1-4~bpo70+1
      Version table:
     *** 1:6.6p1-4~bpo70+1 0
            100 http://http.debian.net/debian/ wheezy-backports/main armel Packages
            100 /var/lib/dpkg/status
         1:6.0p1-4+deb7u2 0
            500 http://mirrors.kernel.org/debian/ wheezy/main armel Packages
         1:6.0p1-4+deb7u1 0
            900 http://apt.readynas.com/packages/readynasos/ 6.1.8/main armel Packages
    root@tatooine:~# ssh -V
    OpenSSH_6.6.1p1 Debian-4~bpo70+1, OpenSSL 1.0.1e 11 Feb 2013

    Don't have an x86 system to test with at the moment, but on my ARM system it upgrades a few dependencies and installs a few new packages, but otherwise seems OK. Your mileage may vary and this is definitely something our support team can void your warranty over (until you factory default) should you run into issues.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More