sftp google authenticator and two factor authentication

[2factorman]

First of all, Great product. Thank you for total commander.

I have a question. Does total commander support 2 factor authentication? If so, can you point me in the direction of a usage tutorial?

I'm able to ssh in to servers and use google authenticator codes from a shell, but, with total commander and other sftp apps it's not too clear.

All the best,

Cheers.

[ghisler(Author)]

No it doesn't - I'm not aware of any documentation on how this is done. Can you give me a hint how this can be enabled on a Linux server with ssh server?

[findftp]

I need this too.
My SSH server is protected with 2FA (google authenticator)
I followed guides like: (URL scrambled because of forum rules)

howtogeek *dotcom* *slash* 121650 *slash* how-to-secure-ssh-with-google-authenticators-two-factor-authentication

Total commander doesn't ask for the 2nd verification number so no connection.

[ghisler(Author)]

Thanks for the link, that's very helpful! I will try to support it.

[Dogora]

Many thanks for your awesome work!

I just added 2-factor TOTP authentication (2fa) to my home Linux box as it seemed like a great idea and adds quite a bit of security to a world-accessible box. It works well with every interactive client I've tried (KiTTY, and ConnectBot on Android, for example). Rather than using Google's code, I'm using the pam_oath.so module supplied by my distro's build service.

So, I upgraded my TotalCommander SFTP plugin to v2.2, which you say supports 2fa. However, it's not working for me. The error returned by the SFTP plugin is as follows:

Code: Select all

UserAuthException: Exhausted available authentication methods
UserAuthException: [PROTOCOL_ERROR] authenticate returned false

I played with my server configuration to make sure it asks for the 2fa code second after asking for the password with the same results.

I looked carefully at the HowToGeek link posted in this thread and the only difference is the text used for prompts. My server prompts as follows:

Code: Select all

login as:
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
One-time password (OATH) for `user':

In the 5th line, "user" is replaced by the user name I typed in at the first "login as:" prompt.

I have looked around and find nothing about changing the prompt text. I guess I could modify the code and recompile, but I thought I'd ask here first.

Do you have any suggestions? Is the plugin maybe looking for certain prompt text?

Thanks again!

[ghisler(Author)]

It works when connecting to a Raspberry PI which I had setup as described here:
http://www.sorinmustaca.com/enable-two-factor-authentication-for-the-ssh-on-your-raspberry-pi/
I get a request dialog titled "Verification code: (connection name)" where I have to paste the Google Authenticator code.

[Dogora]

Thanks for the help!

Hmmm... The SFTP plugin never presents a second dialog for the code. It first asks me for a password because I don't put that in the connection properties.

Looks like another difference in my setup is my server sshd_config has ChallengeResponseAuthentication commented out. The man page for sshd_config says yes is the default. My PAM is obviously working. I'll try changing it to yes and see if it helps.

Edit: that made no difference. Hmmm... something is amiss, but I can't find it.

[ghisler(Author)]

Try enabling ChallengeResponseAuthentication, it is needed for multiple requests from the server (password and code). It doesn't work with regular password authentication, or client certificate authentication.

[Dogora]

Tried that last night with no effect.

I've scoured logs on my server and logcat on Android, but none are showing any more info that what I presented already.

My server sshd_config has

Code: Select all

ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication yes

Nothing else I see looks amiss, though I'm not an expert (yet). Just about everything is the default from installation except I'm using a different port, which has never caused me problems.

If I disable 2fa in /etc/pam.d/sshd, the SFTP plugin works great, as it has for years now. The line in my config file for the 2fa is:

Code: Select all

auth        required    pam_oath.so usersfile=/etc/users.oath window=30 digits=6

I'd really rather not use Google's authenticator, though it seems safe, and it seems like that's not really the problem. pam_oath works fine everywhere else I've tried.

BTW, I'm using openSUSE, currently Leap 42.3.

[ghisler(Author)]

1. What request do you see when you connect to the server from a shell?
2. Would it be possible to get a read-only test account on your server to test in the debugger what is happening?

[Dogora]

My server prompts look like this:

Code: Select all

login as: user
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
One-time password (OATH) for `user':

The SSH server I'm using is SSH-2.0-OpenSSH_7.2, protocol v2 (of course)

I will look into making a temporary account for you to play with.

Many thanks for your help!

[ghisler(Author)]

I see - the problem is that the library looks for "password" in the request string, and sends the password entered by the user. Since the word "password" also appears in the second request, which should ask for the OTP (One-Time-Pad, NOT One-Time-Password!!!), the login fails.

[Dogora]

I wondered about that...

If you don't want to or can't change your code to deal with this, I understand. I'm just glad I know why.

Is there any particular text the library is looking for in the second prompt?

I looked into changing the prompt from pam_oath.so, but can't find anything about it. It's not a run-time option. I'd rather not modify the source and recompile, but it looks like the only way. I may have time this weekend to try that.

(pam_oath.so is the shared library that handles the OTP. It's called by the PAM system during the login process.)

[Dogora]

I just looked at the source code for pam_oath.so and the prompt is hard coded. Easy enough to change it, I guess.

I'll file a bug report asking the maintainer to change the prompt for the reason you gave.

[Hacker]

Dogora,
... and a discussion about the meaning of OTP will ensue.

Roman