Connection with two factor authentication failing #175
Comments
|
Are you able to get debug output (turned all the way up) from OpenSSH on the server side as well? I don't see anything wrong protocol-wise in the client-side debug log you posted. |
|
Also, are you using the Duo Unix setup or are you using their "Native SSH"? |
|
We are using Duo Unix. I was able to set the debug level for SSHD up to debug3. I created a gist with 3 files:
I tried to sanitize the output somewhat. I'm hoping I did enough. From my reading of the debug ouptut, I'm not seeing anything obvious. It's the PAM layer that isn't allowing me in, but then it shouldn't allow me in with the command line either then. There must be a protocol difference somewhere. |
|
I just tested I also made sure to set these in And here is the test code I used: var Connection = require('ssh2');
var readline = require('readline');
var conn = new Connection();
var rl = readline.createInterface({
input: process.stdin,
output: process.stdout
});
conn.on('keyboard-interactive', function redo(name, instructions, instructionsLang, prompts, finish, answers) {
answers = answers || [];
if (answers.length < prompts.length) {
rl.question(prompts[answers.length].prompt, function(answer) {
answers.push(answer);
redo(name, instructions, instructionsLang, prompts, finish, answers)
});
} else
finish(answers);
});
conn.on('ready', function() {
rl.close();
conn.exec('uptime', function(err, stream) {
if (err) throw err;
stream.stdout.pipe(process.stdout);
stream.stderr.pipe(process.stderr);
stream.on('exit', function() {
conn.end();
});
});
});
conn.connect({
host: '192.168.10.5',
port: 22,
username: 'foo',
tryKeyboard: true,
readyTimeout: 99999999 // this gives us more than enough time to manually answer prompts
});If you are still having problems, you might check |
|
Thanks @mscdex for the debugging help. I tested your code, and it worked immediately. I re-examined my code, and the only difference was that I was providing the FWIW, on the CentOS 5 machine that is running this in production (I know, ancient. But production is production...), the file Otherwise, the configurations match. |
|
Are you prompted for a password and then the duo auth prompt using the code (with no |
|
Yes. I am prompted a password then the Duo Auth prompt with your exact code, with no I am also prompted for a password and then the Duo auth when I provide a password in the connect call. |
|
Well that part makes sense. I'm not sure why it would be failing when |
|
Hi @mscdex, where you able to replicate my issue with Thanks |
|
Unfortunately I haven't been able to reproduce it yet. |
|
I have the same problem. If I remove password from connect it works fine for me. But with password it doesn't work. |
|
I guess this information could be useful. var Client = require('ssh2').Client;
var conn = new Client();
conn.on('ready', function () {
console.log('Client :: ready');
conn.shell(function (err, stream) {
if (err)
console.log(err);
stream.on('close', function () {
console.log('Stream :: close');
conn.end();
}).on('data', function (data) {
console.log('STDOUT: ' + data.toString());
}).stderr.on('data', function (data) {
console.log('STDERR: ' + data.toString());
});
stream.write('exit\n');
});
}).on('keyboard-interactive', function(name,instructions,lang,prompts,finish) {
if(prompts[0].prompt.indexOf("Password:") != -1) {
finish(["password"])
} else {
finish(["verification_code"])
};
}).on('error', function(err) {
console.log("Error", err.message);
}).connect({
host: 'address',
port: 2124,
username: 'user',
tryKeyboard: true,
password: "password",
debug: console.log
}
);Also debug logs https://gist.github.com/zhulduz/88d14479c1cae81f3658 |
|
@zhulduz Can you provide debug logs (with debug level turned all the way up) from the sshd process running on the server? @djw8605 Looking at your sshd error log again, I noticed that something in PAM failed. You may need to add (at least) something like |
|
Of course Dec 1 11:44:39 SAJSDev sshd(pam_google_authenticator)[31422]: Invalid verification code
Dec 1 11:44:40 SAJSDev sshd[31422]: Failed password for 'user' from 'address' port 50355 ssh2
Dec 1 11:44:40 SAJSDev sshd[31422]: Accepted keyboard-interactive/pam for 'user' from 'address' port 50355 ssh2
Dec 1 11:44:40 SAJSDev sshd[31422]: fatal: PAM: pam_setcred(): Permission denied |
|
@zhulduz Is |
|
I have checked |
|
@zhulduz Can you try with the last version of |
|
@mscdex it is ok now) Thanks |
|
Closing this for now. If this is still an issue with the most recent version of |
Set in sshd_config This will fix the pam_setcred permission denied issue. |
I am using ssh2 to connect to a machine that runs Duo two factor authentication. When it attempts to connect, it says:
ECONNRESET.ssh2 version: ssh2@0.3.6
node version: v0.10.22 (node-webkit 0.8.6)
The order of operations seems to be:
ECONNRESET.A gist with the debug output is here: https://gist.github.com/djw8605/90c30d3c7d3a168fe3e4
It should be noted, that ssh2 works just fine when Duo is not involved, on the same server version (SSH-2.0-OpenSSH_5.3).
Any help would be greatly appreciated.
The text was updated successfully, but these errors were encountered: