Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2 factor authentication #1040

Open
pyNetz opened this issue Dec 20, 2018 · 18 comments
Open

2 factor authentication #1040

pyNetz opened this issue Dec 20, 2018 · 18 comments
Labels
enhancement

Comments

@pyNetz
Copy link

pyNetz commented Dec 20, 2018

I have an environment that requires a username and a passcode (pin+8 digit rsa Tokencode) when SSHing into network devices. Am I out of luck for automating large scale network tasks to thousands of devices?
@ktbyers
Copy link
Owner

ktbyers commented Dec 26, 2018

Someone would have to create a solution for this and submit a PR on it. I am totally open to it, but I don't have a way to test it, and it is probably not something I am going to work on in the near future.

@ktbyers
Copy link
Owner

ktbyers commented Dec 27, 2018

This would be good to have if someone wants to work on it.

@yoonghm
Copy link

yoonghm commented Dec 27, 2018 via email

@Muadiv
Copy link

Muadiv commented Dec 27, 2018
edited

I did something like that already, and the solution is not the best but works, use Autohotkey to call rsa and take the password from there.

Here the code that I use:

  1. AutoHotKey:
;; RSA Token Automation.ahk
;; # autohotkey.exe
;; # Ref: http://www.autohotkey.com/board/topic/59612-simple-debug-console-output/


;; RSA
Run, "C:\Program Files (x86)\RSA SecurID Software Token\SecurID.exe"
WinWait, (Here number of your RSA window) - RSA SecurID Token, 
IfWinNotActive, (Here number of your RSA window)- RSA SecurID Token, , WinActivate, (Here number of your RSA window)- RSA SecurID Token, 
WinWaitActive, (Here number of your RSA window)- RSA SecurID Token, 
Send, (Your Key here)
Sleep, 100
Send, {ENTER}
Sleep, 100
;;Send, {CTRLDOWN}c{CTRLUP}

Send, ^c
Sleep, 100
X := clipboard

Send, {ALTDOWN}{F4}{ALTUP}

return

And this is the code that I used on my python file to call that and grab the key:

import win32clipboard
import subprocess

def get_rsa_token():
    subprocess.Popen("ssas.ahk", shell=True,
                     stdout=subprocess.PIPE).communicate()[0].strip()
    win32clipboard.OpenClipboard()
    data = win32clipboard.GetClipboardData()
    win32clipboard.CloseClipboard()
    return data

Then, I know that is not the best solution, but is the only way that I found a solution to get RSA with Python. 😄

@Muadiv Muadiv mentioned this issue Jan 2, 2019
Closed
@napstercc
Copy link

You forgot : import subprocess
in that

@maheshkudva
Copy link

I have the same exact issue and have been using AutoHotKey as mentioned above. However as Muadiv mentioned, its best when used for single user. Large scale deployments is something for which an alternative is needed

@ktbyers
Copy link
Owner

ktbyers commented Jan 23, 2019

Definitely open to solutions, but it will need to be driven by the community.

@napstercc
Copy link

I'm wondering if there is a module for rsa where we could import the RSA token, and then just import the password so we could use the generated key to login. Do any of you know if there is such a thing?

@Muadiv
Copy link

Muadiv commented Jan 30, 2019

I'm wondering if there is a module for rsa where we could import the RSA token, and then just import the password so we could use the generated key to login. Do any of you know if there is such a thing?

From what I researched, there is not any module to do that, that's why this is the only way that I found to do this process. Also there is a guy that did some similar but with a hardtoken, with a camera and recognition software... even more crazy...
You can investigate a little bit here https://community.rsa.com/docs/DOC-75741 but I think that is not exactly what we are looking for.

@paulcfyiu
Copy link

paulcfyiu commented Mar 19, 2019
edited

Actually with the help with stoken https://github.com/cernekee/stoken you can use your rsa.sdtid to pre-generate 60+ 120+ etc token code for your pre run time program. Your pin+rsakey is piece of cake to get ahead of time

I have not yet begin to look at netmiko in code level, just wondering any one successfully to use netmiko to auth with passcode yet? I am going to spending time to tackle this for, hopefully anyone can collaborate would be wonderful

@paulcfyiu
Copy link

Guy, I had spent time to code in expect + sh + jumphost... I am able to get my ansible box connect through jump host(2fa) with RSA secureid to all network devices (also 2fa) XD it is possible

@Muadiv
Copy link

Muadiv commented Mar 25, 2019

Hey @paulcfyiu , could you explain how ? or show the code :)

@paulcfyiu
Copy link

paulcfyiu commented Mar 27, 2019
edited

Muadiv I can share the concept and approach I had taken. SecureID OTP will valid for certain time my case is around 10 mins. Stoken allow you to collect your tokencode, I have coded a stack to store 10mins valid tokens.

I had coded sh script like a "ansible-playbook wrapper" program will fetch token code from stack, pass it to expect script made initial connection to 2FA jumphost which will run in background. Then similarly get token codes from stack before calling ansible-playbook to run task. Finally to clean up all ssh connection on script exit.

Reason to run expect script before ansible playbook, it will use native SSH config to establish connection to your jumphost create the controlpath before ansible-playbook run. Expect script is best to handle returned prompt as system passcode prompt is commonly different. This handles without messing with ansible code

The outcome of this is quite stabled from previous few days of testing.

@carlmontanari carlmontanari mentioned this issue Mar 28, 2019
Closed
@ktbyers
Copy link
Owner

ktbyers commented Mar 1, 2022

I am going to close this, should re-open a new issue if anyone implements a two-factor feature in Netmiko.

@ktbyers ktbyers closed this as completed Mar 1, 2022
@jinjamator
Copy link

Hi,
FYI I implemented a hackish google-authenticator "driver" for netmiko.
https://github.com/jinjamator/netmiko_2fa_google_authenticator
which also can be used with
https://github.com/jinjamator/netmiko_multihop

@ktbyers
Copy link
Owner

ktbyers commented Mar 6, 2024

@jinjamator Hmmm, I wonder if we could make a general solution in Netmiko that could be more easily shared. I guess first step is to figure out how to test it.

@ktbyers ktbyers reopened this Mar 6, 2024
@jinjamator
Copy link

@ktbyers All customer setups I'm aware of are just asking for a second Password with another prompt, so 2FA is straight forward to implement.
A ssh server for testing could use libpam-google-authenticator which is pretty simple to setup. See https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages . My "driver" also uses automatic generation for the otp.

@ktbyers
Copy link
Owner

ktbyers commented Mar 11, 2024

Okay, this would be cool/nice to implement. I will see where I am at after I finish the current main project I am working on and see if I can make some time for it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@ktbyers @napstercc @yoonghm @Muadiv @pyNetz @paulcfyiu @maheshkudva @jinjamator