2-Factor auth does not work

[owais]

2-Factor auth when using SSH + google authenticator lib does not work with paramiko. Password logins are disabled.

DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ssh-rsa host key for server.com: #############
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication continues...
DEBUG:paramiko.transport:Methods: [u'keyboard-interactive']
DEBUG:paramiko.transport:[chan 1] Max packet in: 32768 bytes
WARNING:paramiko.transport:Oops, unhandled type 3

keyboard-interactive is enabled on the server in addition to secret key auth but paramiko does not ask for authorization code

[bitprophet]

Kinda sorta related to @owais' ticket on Fabric's tracker, fabric/fabric#1202

I reckon getting Fabric some tests that pull Paramiko's 2FA strings could be a good way to enforce that this part of the functionality works. Not sure if that'll happen before or after Fab 2.0.

As I mentioned in that ticket, paramiko definitely has "support" for 2FA in its auth handling subroutines, but whether they function at this point in time seems questionable.

@iwais do you have an example of exactly how you've got google auth set up? It's not a tech I have personally used before.

[owais]

Yes, you can follow these guides http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication

[owais]

You need to add

AuthenticationMethods publickey,keyboard-interactive to /etc/ssh/sshd_config

auth required pam_google_authenticator.so to /etc/pam.d/sshd

and you need to remove @include common-auth from /etc/pam.d/sshd

Then run google-authenticator as the user you want to enable it for. Don't forget to restart ssh-daemon and don't logout of the shell to test; try to establish a new session to test as it might lock you out.

[bitprophet]

Thanks! I don't know when I will have time to prioritize this (it's up there but not at the top of the list) but this way when I (or anybody else) next looks at it we've got what we need to confirm & test.

[perryjrandall]

The problem here also from what I found is that paramiko was not properly checking the allowed two factor auth methods, try my fork and lemme know if this helps

Fork:
https://github.com/perryjrandall/paramiko
Pull Req:
#467

[PaulFurtado]

@perryjrandall Your changes do work for me when using duo for 2 factor authentication at work and MySQL Workbench's SSH tunnel feature to connect to MySQL servers. 🍺

What are the changes we can make Perry's changes production ready and merge them? I'd be willing to do some of the work if necessary.

[bitprophet]

Rolling this into #467