-
-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sftp - Received message too long #22
Comments
@osterman IMHO, this issue is not a question as you labelled it, but rather a "bug" - easy to replicate, as per my instructions above. |
@marji I suspect it could be related to the |
The
|
Btw, you're invited to join our slack team here: https://slack.cloudposse.com where you'll get direct access to me and the team. |
On further reflection, this will not work with Google Authenticator. SFTP is a non-interactive protocol. It’s implemented on top of SSH. MFA prompts are not an official spec and there is no standard. Thus no standard way for clients to handle it. It you use more advanced client like like cyberduck, maybe it will work. That said, SCP will work with non-interactive push notifications which is the way we used it. This is supported by duo. Duo is a much, much better approach. It also supports geofencing and a multitude of other security enhancements, plus the totp seed is not stored on the server. The totp seed will let anyone guess the sequence if compromised. |
@marji I'm going to close this issue. Please re-open if you can find any new information that indicates Google Authenticator is compatible with |
@osterman I tracked the problem with sftp not working with google-authenticator to this standard output terminal condition in While debugging this, I realised this condition is also breaking execution of ssh connections with remote command specified:
When I compile the docker image without this condition, my problem is gone, sftp works. |
@marji - aha, I see! yes, this seems like it could be easily fixed. |
@marji please give it another shot. We moved the conditional inside the block to check if it's been previously initialized. If you want to disable MFA altogether for scp, I don't recommend it - but if you want to open a PR for it, we can consider it. |
@osterman I'm happy to confirm the above change has fixed the problem. Thank you guys for fixing this. |
Thanks @marji for letting us know! Happy we got this working. =) |
I noticed sftp to the bastion container (with google authenticator selected as the MFA) does not work:
Provision a fresh bastion instance:
Initialise with the first login.
Then ssh into the container again, works fine:
But SFTP stops with an error:
I'm not sure where to look. Perhaps the sshd config? If you give me a little hint, I'm happy to debug more.
The text was updated successfully, but these errors were encountered: