How does one set sshd_authenticationmethods to include password authentication?

[mrdanielmartins]

Description

Good afternoon,

Pardon me for posting this as a bug, but I'm having trouble setting password authentication in addition to the default public key as another auth method. However, I can't set the variable correctly.

Config:

- hosts: localhost
  become: yes
  become_user: root
  collections:
    - devsec.hardening
  roles:
    # - os_hardening 
    - ssh_hardening 
  vars:
    ssh_client_password_login:
      - true
    ssh_server_password_login:
      - true
    sshd_authenticationmethods:
      - publickey

Here are values I've tried for sshd_authenticationmethods, I even did publickey to see if it wouldn't break ansible, but still it did:

• - publickey
• - `publickey`
• - publickey password
• - publickey,password
• - password
• ['publickey', 'password']

The error each time I substituted the auth method (this happens to display publickey but just substitute from the bullet list above:

fatal: [127.0.0.1]: FAILED! => {"changed": false, "checksum": "3148803d7892648b484bd44403f472b68c821609", "exit_status": 255, "msg": "failed to validate", "stderr": "Unknown authentication method \"[['publickey'\" in list\r\n/home/packer/.ansible/tmp/ansible-tmp-1690199084.4486673-20294-213478671635208/source line 92: invalid authentication method list.\r\n", "stderr_lines": ["Unknown authentication method \"[['publickey'\" in list", "/home/packer/.ansible/tmp/ansible-tmp-1690199084.4486673-20294-213478671635208/source line 92: invalid authentication method list."], "stdout": "", "stdout_lines": []}

How does one provide passwords in addition to public key authentication for SSH? The default value is simply publickey so not sure where I am going wrong.

Thank you,

Dan

Reproduction steps

...

Current Behavior

...

Expected Behavior

...

OS / Environment

• RHEL 8.8
• Packer 1.9.2

Ansible Version

ansible-core 2.14.2-4.el8_8

Collection Version

8.7

Additional information

...

[rndmh3ro]

sshd_authenticationmethods takes a string as input, you provided a list.

It should be:

sshd_authenticationmethods: "pubkey password"

It basically works just as the configuration in the shhd_config itself:

Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more lists of comma-separated authentication method names, or by the single string any to indicate the default behaviour of accepting any single authentication method. If the default is overridden, then successful authentication requires completion of every method in at least one of these lists.

For example, "publickey,password publickey,keyboard-interactive" would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example it would not be possible to attempt password or keyboard-interactive authentication before public key.

[mrdanielmartins]

Hey @rndmh3ro,

Thank you for taking the time to respond, and pardon my stupidity!

I literally just noticed after posting that it ought to have been

sshd_authenticationmethods: publickey password

and not

sshd_authenticationmethods: 
- publickey password

I have been staring at this screen for far too long now - best to have a break!

Thank you again,

Daniel

[rndmh3ro]

Glad you got it working.

I'm working on defining an argument spec that should hopefully prevent these kinds of problems.