2FA with SFTP

[isontheline]

Hello,
You removed the feature on release 13.10 - july 2017 because 2FA never worked with SFTP.
Would you consider to try again to implement this great feature ?
It seems to work but I don't know what was the problem you had ...
https://help.thorntech.com/docs/sftp-gateway-classic/two-factor-authentication-with-google-authenticator/
Thank you very much

Originally posted by @cotchon in #173

[isontheline]

@cotchon

I'm searching on the Internet but the use of 2FA with SFTP isn't as "easy" as I would like :

• https://www.hallam.ch/blog/index.php/2020/04/19/ssh-sftp-with-two-factor-authentication/
• Using SFTP with google-authenticator google/google-authenticator-libpam#24

Could you share your SFTP configuration and your actual SFTP client used ?

[cotchon]

Hello,
Actually I tried with SFTP cli from High Sierra and it worked with 2FA, after login asked me for the code. I don't know which SFTP client it is (no version)
I've just tried with Cyberduck, Version 7.6.2 (33520), it worked also
I've just tried also with Filezilla, Version 3.50.0, it worked, authentication type interactive
It seems to be difficult since I read your links #24 and #288 to get prompted correctly when 2FA occurs...
Hope this helps.

[cotchon]

sshd_config
ChallengeResponseAuthentication yes

PAM configuration for the Secure Shell service
@include common-auth
auth required pam_google_authenticator.so nullok

From webssh I get on my device :
Jan 20 10:10:43 PI4B sshd(pam_google_authenticator)[749]: Invalid verification code for pi
Jan 20 10:10:46 PI4B sshd[749]: Failed password for pi from x.x.x.x port 63774 ssh2

From Filezilla, I get 1st prompt for password, then second prompt for the code,
on my device, i get :
Jan 20 10:14:38 PI4B sshd(pam_google_authenticator)[759]: Accepted google_authenticator for pi
Jan 20 10:14:39 PI4B sshd[757]: Accepted keyboard-interactive/pam for pi from x.x.x.x port 60936 ssh2
Jan 20 10:14:39 PI4B sshd[757]: pam_unix(sshd:session): session opened for user pi by (uid=0)
Jan 20 10:14:39 PI4B systemd-logind[554]: New session 153 of user pi.

[isontheline]

Thank you a lot for your feedback @cotchon !

I will try to figure out why I didn't success SFTP 2FA connections in the past

[isontheline]

Hello @cotchon 👋

It seems possible to implement 2FA over SFTP but only if an SSH connection is launched in background.

I don't think it will cause any problem in most case as the SSH connection will only be opened on the channel side and no shell would be opened at all.

[cotchon]

That's a great news :-)

[isontheline]

@cotchon Work In Progress

[isontheline]

Hello @cotchon 👋

Could you try WebSSH 14.20 please?
https://testflight.apple.com/join/QSrBK59z

[cotchon]

You did it man !!! It works great :-)

THANK YOU VERY MUCH

Now I have a good security enabled at home + webssh which rocks !!!

I use pubkey+2FA to get into my system

For thoses interested : https://www.techrepublic.com/article/how-to-combine-ssh-key-authentication-and-two-factor-authentication-on-linux/

[isontheline]

Thank you a lot for your feedback @cotchon 🙏

Glad to see that this feature made your day 😇