SFTP issue with DUO Linux configured.

[Clifra-Jones]

I have a client connecting to our SFTP server using Paramiko.
We use DUO Linux to force MFA for our administrators when logging with SSH to out Linux servers.
The clients sftp account is exempt from DUO MFA but after configuring DOU they cannot establish a session.
We are using public key authentication

Here is the log they sent me.
DEB [20221026-08:38:37.963] thr=2 paramiko.transport: starting thread (client mode): 0xbc9ed400 DEB [20221026-08:38:37.963] thr=2 paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.7.1 DEB [20221026-08:38:37.977] thr=2 paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_8.7 INF [20221026-08:38:37.978] thr=2 paramiko.transport: Connected (version 2.0, client OpenSSH_8.7) DEB [20221026-08:38:37.981] thr=2 paramiko.transport: kex algos:['curve25519-sha256', 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group14-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1'] server key:['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ssh-ed25519'] client encrypt:['aes256-gcm@openssh.com', 'chacha20-poly1305@openssh.com', 'aes256-ctr', 'aes256-cbc', 'aes128-gcm@openssh.com', 'aes128-ctr', 'aes128-cbc'] server encrypt:['aes256-gcm@openssh.com', 'chacha20-poly1305@openssh.com', 'aes256-ctr', 'aes256-cbc', 'aes128-gcm@openssh.com', 'aes128-ctr', 'aes128-cbc'] client mac:['hmac-sha2-256-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256', 'hmac-sha1', 'umac-128@openssh.com', 'hmac-sha2-512'] server mac:['hmac-sha2-256-etm@openssh.com', 'hmac-sha1-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256', 'hmac-sha1', 'umac-128@openssh.com', 'hmac-sha2-512'] client compress:['none', 'zlib@openssh.com'] server compress:['none', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False DEB [20221026-08:38:37.981] thr=2 paramiko.transport: Kex agreed: ecdh-sha2-nistp256 DEB [20221026-08:38:37.981] thr=2 paramiko.transport: HostKey agreed: ecdsa-sha2-nistp256 DEB [20221026-08:38:37.981] thr=2 paramiko.transport: Cipher agreed: aes128-ctr DEB [20221026-08:38:37.981] thr=2 paramiko.transport: MAC agreed: hmac-sha2-256 DEB [20221026-08:38:37.982] thr=2 paramiko.transport: Compression agreed: none DEB [20221026-08:38:37.986] thr=2 paramiko.transport: kex engine KexNistp256 specified hash_algo <built-in function openssl_sha256> DEB [20221026-08:38:37.986] thr=2 paramiko.transport: Switch to new keys ... DEB [20221026-08:38:37.987] thr=1 paramiko.transport: Host key verified (ecdsa-sha2-nistp256) DEB [20221026-08:38:38.020] thr=2 paramiko.transport: userauth is OK INF [20221026-08:38:38.040] thr=2 paramiko.transport: Authentication continues... DEB [20221026-08:38:38.040] thr=2 paramiko.transport: Methods: ['keyboard-interactive'] DEB [20221026-08:38:38.040] thr=1 paramiko.transport: [chan 0] Max packet in: 32768 bytes WAR [20221026-08:38:38.042] thr=2 paramiko.transport: Oops, unhandled type 3 ('unimplemented') DEB [20221026-08:40:37.980] thr=2 paramiko.transport: EOF in transport thread

After I disabled DUO Linux they can now successfully connect using Paramiko.

I believe the issue may have something to do with the ChallengeResponseAuthentication setting in sshd_config
Duo requires this to be set to "yes"
With Dou disabled it must be set to "no" to prevent a password prompt.

Is there some configuration change I can make on my end to get this to work or something the client can do?

[Clifra-Jones]

I install Paramiko-2.11.0 via pip on my workstation and I am able to connect and upload/download files successfully to my server with Duo configured.
I have not received a response from my client which version of the software they are using.
I suspect they are using an older version.