New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2-Factor auth does not work #412

Closed
owais opened this Issue Oct 2, 2014 · 7 comments

Comments

Projects
None yet
4 participants
@owais

owais commented Oct 2, 2014

2-Factor auth when using SSH + google authenticator lib does not work with paramiko. Password logins are disabled.

DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Adding ssh-rsa host key for server.com: #############
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:Trying SSH agent key *********************************************
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication continues...
DEBUG:paramiko.transport:Methods: [u'keyboard-interactive']
DEBUG:paramiko.transport:[chan 1] Max packet in: 32768 bytes
WARNING:paramiko.transport:Oops, unhandled type 3

keyboard-interactive is enabled on the server in addition to secret key auth but paramiko does not ask for authorization code

@bitprophet

This comment has been minimized.

Member

bitprophet commented Oct 7, 2014

Kinda sorta related to @owais' ticket on Fabric's tracker, fabric/fabric#1202

I reckon getting Fabric some tests that pull Paramiko's 2FA strings could be a good way to enforce that this part of the functionality works. Not sure if that'll happen before or after Fab 2.0.

As I mentioned in that ticket, paramiko definitely has "support" for 2FA in its auth handling subroutines, but whether they function at this point in time seems questionable.

@iwais do you have an example of exactly how you've got google auth set up? It's not a tech I have personally used before.

@owais

This comment has been minimized.

owais commented Oct 7, 2014

You need to add

AuthenticationMethods publickey,keyboard-interactive to /etc/ssh/sshd_config

auth required pam_google_authenticator.so to /etc/pam.d/sshd

and you need to remove @include common-auth from /etc/pam.d/sshd

Then run google-authenticator as the user you want to enable it for. Don't forget to restart ssh-daemon and don't logout of the shell to test; try to establish a new session to test as it might lock you out.

@bitprophet

This comment has been minimized.

Member

bitprophet commented Oct 8, 2014

Thanks! I don't know when I will have time to prioritize this (it's up there but not at the top of the list) but this way when I (or anybody else) next looks at it we've got what we need to confirm & test.

@perryjrandall

This comment has been minimized.

Contributor

perryjrandall commented Dec 24, 2014

The problem here also from what I found is that paramiko was not properly checking the allowed two factor auth methods, try my fork and lemme know if this helps

Fork:
https://github.com/perryjrandall/paramiko
Pull Req:
#467

@PaulFurtado

This comment has been minimized.

PaulFurtado commented Oct 14, 2015

@perryjrandall Your changes do work for me when using duo for 2 factor authentication at work and MySQL Workbench's SSH tunnel feature to connect to MySQL servers. 🍺

What are the changes we can make Perry's changes production ready and merge them? I'd be willing to do some of the work if necessary.

@bitprophet

This comment has been minimized.

Member

bitprophet commented Nov 3, 2015

Rolling this into #467

@bitprophet bitprophet closed this Nov 3, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment