I am running Debian Linux jessie with OpenSSH version 6.7. I use the AuthenticationMethods directive in /etc/ssh/sshd_config. I know that these strings are recognized by AuthenticationMethods:
keyboard-interactive
gssapi-with-mic
password
publickey
Where can I find a list of all the valid strings that can be used with AuthenticationMethods? (Such a list is not in the man page for sshd_config.)
There isn't a way … over the network … to list ALL the active methods of authentications of OpenSSH ... in advance … ever: You are challenged to only the first one then the next …
this is a security feature. You want to know? Look at the
/etc/ssh/sshd_configdirectly on that server. Oh, you can’t? That’s security by design.So, I'll expand the list even further than what the official OpenSSL documentation covered as I've been code-reviewing OpenSSH for some time.
The available authentication methods are:
gssapi-with-mic",hostbased",keyboard-interactive",none" (used for access to password-less accounts whenPermitEmptyPasswordis enabled),password" andpublickey".AuthenticationMethodsspecifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more lists of comma-separated authentication method names, or by the single stringanyto indicate the default behavior of accepting any single authentication method. If the default is overridden, then successful authentication requires completion of every method in at least one of these lists.Pubkey Authentication
For example,
would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example it would not be possible to attempt
passwordorkeyboard-interactiveauthentication before public key.Keyboard Interactive Authentication
For keyboard interactive authentication it is also possible to restrict authentication to a specific device by appending a colon followed by the device identifier
bsdauthorpamdepending on the server configuration. For example,would restrict keyboard interactive authentication to the
bsdauthdevice.Multiple Pubkey Authentication
If the publickey method is listed more than once,
sshd(8)verifies that keys that have been used successfully are not reused for subsequent authentications.For example,
requires successful authentication using two different public keys.
Note
A comma (
,) separator symbol that separates a pair of auth options are tried together (AND-logic) firstly before any of its space separator(s).A whitespace (
NOTE: Colon (
:) separator are used to restrict its accompanied authentication method to a specific authentication device pathway mechanism such aspam,bsdauth, andskey. For keyboard interactive authentication it is also possible to restrict authentication to a specific device by appending a colon followed by the device identifierbsdauth,pam, orskey, depending on the server configuration. For example,keyboard-interactive:bsdauthwould restrict keyboard interactive authentication to thebsdauthdevice.Note that each authentication option (except
none) listed inAuthenticationMethodsshould also have its corresponding config setting be explicitly enabled in the configuration. For example, ifpubkeyoption got used inAuthenticationMethodssetting then it’s accompanied config linePubkeyAuthentication onmust also be in its config file.Details for code reviewers of OpenSSH
any'.This isn't documented very clearly (or at all). But here's what I was able to find. In OpenSSH 6.2, there were only 4 methods
Others have felt the need for more documentation as well. See Attachment 3045 which states for OpenSSH 7.5:
Hope that helps.