sftp google authenticator and two factor authentication
Moderators: white, Hacker, petermad, Stefan2
-
- New Member
- Posts: 1
- Joined: 2017-03-30, 20:16 UTC
sftp google authenticator and two factor authentication
First of all, Great product. Thank you for total commander.
I have a question. Does total commander support 2 factor authentication? If so, can you point me in the direction of a usage tutorial?
I'm able to ssh in to servers and use google authenticator codes from a shell, but, with total commander and other sftp apps it's not too clear.
All the best,
Cheers.
I have a question. Does total commander support 2 factor authentication? If so, can you point me in the direction of a usage tutorial?
I'm able to ssh in to servers and use google authenticator codes from a shell, but, with total commander and other sftp apps it's not too clear.
All the best,
Cheers.
- ghisler(Author)
- Site Admin
- Posts: 48166
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
No it doesn't - I'm not aware of any documentation on how this is done. Can you give me a hint how this can be enabled on a Linux server with ssh server?
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
I need this too.
My SSH server is protected with 2FA (google authenticator)
I followed guides like: (URL scrambled because of forum rules)
howtogeek *dotcom* *slash* 121650 *slash* how-to-secure-ssh-with-google-authenticators-two-factor-authentication
Total commander doesn't ask for the 2nd verification number so no connection.
My SSH server is protected with 2FA (google authenticator)
I followed guides like: (URL scrambled because of forum rules)
howtogeek *dotcom* *slash* 121650 *slash* how-to-secure-ssh-with-google-authenticators-two-factor-authentication
Total commander doesn't ask for the 2nd verification number so no connection.
- ghisler(Author)
- Site Admin
- Posts: 48166
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Thanks for the link, that's very helpful! I will try to support it.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: sftp google authenticator and two factor authentication
Many thanks for your awesome work!
I just added 2-factor TOTP authentication (2fa) to my home Linux box as it seemed like a great idea and adds quite a bit of security to a world-accessible box. It works well with every interactive client I've tried (KiTTY, and ConnectBot on Android, for example). Rather than using Google's code, I'm using the pam_oath.so module supplied by my distro's build service.
So, I upgraded my TotalCommander SFTP plugin to v2.2, which you say supports 2fa. However, it's not working for me. The error returned by the SFTP plugin is as follows:
I played with my server configuration to make sure it asks for the 2fa code second after asking for the password with the same results.
I looked carefully at the HowToGeek link posted in this thread and the only difference is the text used for prompts. My server prompts as follows:
In the 5th line, "user" is replaced by the user name I typed in at the first "login as:" prompt.
I have looked around and find nothing about changing the prompt text. I guess I could modify the code and recompile, but I thought I'd ask here first.
Do you have any suggestions? Is the plugin maybe looking for certain prompt text?
Thanks again!
I just added 2-factor TOTP authentication (2fa) to my home Linux box as it seemed like a great idea and adds quite a bit of security to a world-accessible box. It works well with every interactive client I've tried (KiTTY, and ConnectBot on Android, for example). Rather than using Google's code, I'm using the pam_oath.so module supplied by my distro's build service.
So, I upgraded my TotalCommander SFTP plugin to v2.2, which you say supports 2fa. However, it's not working for me. The error returned by the SFTP plugin is as follows:
Code: Select all
UserAuthException: Exhausted available authentication methods
UserAuthException: [PROTOCOL_ERROR] authenticate returned false
I looked carefully at the HowToGeek link posted in this thread and the only difference is the text used for prompts. My server prompts as follows:
Code: Select all
login as:
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
One-time password (OATH) for `user':
I have looked around and find nothing about changing the prompt text. I guess I could modify the code and recompile, but I thought I'd ask here first.
Do you have any suggestions? Is the plugin maybe looking for certain prompt text?
Thanks again!
- ghisler(Author)
- Site Admin
- Posts: 48166
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: sftp google authenticator and two factor authentication
It works when connecting to a Raspberry PI which I had setup as described here:
http://www.sorinmustaca.com/enable-two-factor-authentication-for-the-ssh-on-your-raspberry-pi/
I get a request dialog titled "Verification code: (connection name)" where I have to paste the Google Authenticator code.
http://www.sorinmustaca.com/enable-two-factor-authentication-for-the-ssh-on-your-raspberry-pi/
I get a request dialog titled "Verification code: (connection name)" where I have to paste the Google Authenticator code.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: sftp google authenticator and two factor authentication
Thanks for the help!
Hmmm... The SFTP plugin never presents a second dialog for the code. It first asks me for a password because I don't put that in the connection properties.
Looks like another difference in my setup is my server sshd_config has ChallengeResponseAuthentication commented out. The man page for sshd_config says yes is the default. My PAM is obviously working. I'll try changing it to yes and see if it helps.
Edit: that made no difference. Hmmm... something is amiss, but I can't find it.
Hmmm... The SFTP plugin never presents a second dialog for the code. It first asks me for a password because I don't put that in the connection properties.
Looks like another difference in my setup is my server sshd_config has ChallengeResponseAuthentication commented out. The man page for sshd_config says yes is the default. My PAM is obviously working. I'll try changing it to yes and see if it helps.
Edit: that made no difference. Hmmm... something is amiss, but I can't find it.
- ghisler(Author)
- Site Admin
- Posts: 48166
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: sftp google authenticator and two factor authentication
Try enabling ChallengeResponseAuthentication, it is needed for multiple requests from the server (password and code). It doesn't work with regular password authentication, or client certificate authentication.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: sftp google authenticator and two factor authentication
Tried that last night with no effect.
I've scoured logs on my server and logcat on Android, but none are showing any more info that what I presented already.
My server sshd_config has
Nothing else I see looks amiss, though I'm not an expert (yet). Just about everything is the default from installation except I'm using a different port, which has never caused me problems.
If I disable 2fa in /etc/pam.d/sshd, the SFTP plugin works great, as it has for years now. The line in my config file for the 2fa is:
I'd really rather not use Google's authenticator, though it seems safe, and it seems like that's not really the problem. pam_oath works fine everywhere else I've tried.
BTW, I'm using openSUSE, currently Leap 42.3.
I've scoured logs on my server and logcat on Android, but none are showing any more info that what I presented already.
My server sshd_config has
Code: Select all
ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication yes
If I disable 2fa in /etc/pam.d/sshd, the SFTP plugin works great, as it has for years now. The line in my config file for the 2fa is:
Code: Select all
auth required pam_oath.so usersfile=/etc/users.oath window=30 digits=6
BTW, I'm using openSUSE, currently Leap 42.3.
- ghisler(Author)
- Site Admin
- Posts: 48166
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: sftp google authenticator and two factor authentication
1. What request do you see when you connect to the server from a shell?
2. Would it be possible to get a read-only test account on your server to test in the debugger what is happening?
2. Would it be possible to get a read-only test account on your server to test in the debugger what is happening?
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: sftp google authenticator and two factor authentication
My server prompts look like this:
The SSH server I'm using is SSH-2.0-OpenSSH_7.2, protocol v2 (of course)
I will look into making a temporary account for you to play with.
Many thanks for your help!
Code: Select all
login as: user
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
One-time password (OATH) for `user':
I will look into making a temporary account for you to play with.
Many thanks for your help!
- ghisler(Author)
- Site Admin
- Posts: 48166
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: sftp google authenticator and two factor authentication
I see - the problem is that the library looks for "password" in the request string, and sends the password entered by the user. Since the word "password" also appears in the second request, which should ask for the OTP (One-Time-Pad, NOT One-Time-Password!!!), the login fails.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: sftp google authenticator and two factor authentication
I wondered about that...
If you don't want to or can't change your code to deal with this, I understand. I'm just glad I know why.
Is there any particular text the library is looking for in the second prompt?
I looked into changing the prompt from pam_oath.so, but can't find anything about it. It's not a run-time option. I'd rather not modify the source and recompile, but it looks like the only way. I may have time this weekend to try that.
(pam_oath.so is the shared library that handles the OTP. It's called by the PAM system during the login process.)
If you don't want to or can't change your code to deal with this, I understand. I'm just glad I know why.
Is there any particular text the library is looking for in the second prompt?
I looked into changing the prompt from pam_oath.so, but can't find anything about it. It's not a run-time option. I'd rather not modify the source and recompile, but it looks like the only way. I may have time this weekend to try that.
(pam_oath.so is the shared library that handles the OTP. It's called by the PAM system during the login process.)
Re: sftp google authenticator and two factor authentication
I just looked at the source code for pam_oath.so and the prompt is hard coded. Easy enough to change it, I guess.
I'll file a bug report asking the maintainer to change the prompt for the reason you gave.
I'll file a bug report asking the maintainer to change the prompt for the reason you gave.
Re: sftp google authenticator and two factor authentication
Dogora,
... and a discussion about the meaning of OTP will ensue.
Roman
... and a discussion about the meaning of OTP will ensue.
Roman
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.