2-Factor auth does not work #412

Closed
owais opened this Issue Oct 2, 2014 · 7 comments

Projects

None yet

4 participants

@owais
owais commented Oct 2, 2014

2-Factor auth when using SSH + google authenticator lib does not work with paramiko. Password logins are disabled.

DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ssh-rsa host key for server.com: #############
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication continues...
DEBUG:paramiko.transport:Methods: [u'keyboard-interactive']
DEBUG:paramiko.transport:[chan 1] Max packet in: 32768 bytes
WARNING:paramiko.transport:Oops, unhandled type 3

keyboard-interactive is enabled on the server in addition to secret key auth but paramiko does not ask for authorization code

@bitprophet
Member

Kinda sorta related to @owais' ticket on Fabric's tracker, fabric/fabric#1202

I reckon getting Fabric some tests that pull Paramiko's 2FA strings could be a good way to enforce that this part of the functionality works. Not sure if that'll happen before or after Fab 2.0.

As I mentioned in that ticket, paramiko definitely has "support" for 2FA in its auth handling subroutines, but whether they function at this point in time seems questionable.

@iwais do you have an example of exactly how you've got google auth set up? It's not a tech I have personally used before.

@owais
owais commented Oct 7, 2014

You need to add

AuthenticationMethods publickey,keyboard-interactive to /etc/ssh/sshd_config

auth required pam_google_authenticator.so to /etc/pam.d/sshd

and you need to remove @include common-auth from /etc/pam.d/sshd

Then run google-authenticator as the user you want to enable it for. Don't forget to restart ssh-daemon and don't logout of the shell to test; try to establish a new session to test as it might lock you out.

@bitprophet
Member

Thanks! I don't know when I will have time to prioritize this (it's up there but not at the top of the list) but this way when I (or anybody else) next looks at it we've got what we need to confirm & test.

@perryjrandall
Contributor

The problem here also from what I found is that paramiko was not properly checking the allowed two factor auth methods, try my fork and lemme know if this helps

Fork:
https://github.com/perryjrandall/paramiko
Pull Req:
#467

@PaulFurtado

@perryjrandall Your changes do work for me when using duo for 2 factor authentication at work and MySQL Workbench's SSH tunnel feature to connect to MySQL servers. 🍺

What are the changes we can make Perry's changes production ready and merge them? I'd be willing to do some of the work if necessary.

@bitprophet
Member

Rolling this into #467

@bitprophet bitprophet closed this Nov 3, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment