sftp google authenticator and two factor authentication

Support for Android version of Total Commander

Moderators: Stefan2, white, sheep, Hacker

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 37363
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: sftp google authenticator and two factor authentication

Post by *ghisler(Author) » 2018-08-03, 19:52 UTC

Is there any particular text the library is looking for in the second prompt?
No, it's not - it just looks for "password" in any prompt, and assumes that it asks for the password then. I can try to exclude the above string, but then another server will surely come up with a slightly different request string...
Author of Total Commander
http://www.ghisler.com

Dogora
Junior Member
Junior Member
Posts: 8
Joined: 2018-07-30, 14:09 UTC

Re: sftp google authenticator and two factor authentication

Post by *Dogora » 2018-08-05, 21:24 UTC

Well, after playing around for too long, I give up.

I tried the Google Authenticator PAM module and the plugin prompted a second time for the verification code as expected. But, it never logs in. My server logs show the error "invalid verification code".

Then I went back to the other 2fa module, pam_oath.so. However, I used a hex editor to hack it so it prompts 'passward' instead of 'password'. The plugin now asks for the second code showing the hacked prompt. But, it doesn't work either. The server log says 'failed password'.

Every other method I have tried works. The plugin works for you guys, so I understand your position.

Many thanks for all your help. I will revisit this later when I have more time and get tired of working around it.
Last edited by Dogora on 2018-08-06, 13:08 UTC, edited 1 time in total.

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 37363
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: sftp google authenticator and two factor authentication

Post by *ghisler(Author) » 2018-08-06, 07:00 UTC

Sorry to hear that you couldn't get it to work! Google Authenticator only works when 3 conditions are met:
1. The seed value is entered correctly
2. The time of both the server and the client are accurate (to about 1 minute)
3. The time zone is set correctly, because Google Authenticator uses UTC (universal time) for the time factor
Author of Total Commander
http://www.ghisler.com

Dogora
Junior Member
Junior Member
Posts: 8
Joined: 2018-07-30, 14:09 UTC

Re: sftp google authenticator and two factor authentication

Post by *Dogora » 2018-08-08, 00:52 UTC

Thanks, but I'm good with all that. My server uses NTP and my phone gets its time from the carrier. I'm using andOTP on the phone to generate the codes. Every other method I've tried for SSH or SFTP works, so my TOTP codes are working fine.

Since I just got key file login (pem) to work with the SFTP plugin, I'm good. I can SSH in as needed with 2fa from any terminal program, and SFTP in with the plugin using my key file.

BobFx
Junior Member
Junior Member
Posts: 7
Joined: 2019-03-18, 08:33 UTC
Location: Germany

Re: sftp google authenticator and two factor authentication

Post by *BobFx » 2019-03-18, 08:45 UTC

I couldn't manage to log in with 2fa module.

If I enter username and password the following error appears:

Error: Authentication by password failed

After that a new password dialog prompts, but after entering, another error appears:

Error: Authentication by keyboard-interactive failed


If I use putty I can log in successfully.
This is the putty dialog:

login as: bob
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Verification code:

Any hint what's the problem here?

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 37363
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: sftp google authenticator and two factor authentication

Post by *ghisler(Author) » 2019-03-18, 15:08 UTC

The second prompt for the 2 factor probably looks like a password request, so TC sends the password again instead of asking for the second factor.
Could you try logging in to the SSH server with Putty or other text mode SSH client, and tell me the exact wording of the 2 factor prompt?

Some servers seend to send something like "Please enter the second factor password" or similar nonsense.
Author of Total Commander
http://www.ghisler.com

BobFx
Junior Member
Junior Member
Posts: 7
Joined: 2019-03-18, 08:33 UTC
Location: Germany

Re: sftp google authenticator and two factor authentication

Post by *BobFx » 2019-03-19, 07:52 UTC

When I log in via Putty the 2 factor prompt is:

Verification code:

These messages I can see in /var/log/auth.log

Mar 18 18:46:18 nas sshd(pam_google_authenticator)[20984]: Invalid verification code
Mar 18 18:46:21 nas sshd[20984]: Failed password for bob from 192.168.0.40 port 23606 ssh2
Mar 18 18:46:36 nas sshd[21333]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.40 user=bob
Mar 18 18:46:38 nas sshd[20984]: error: PAM: Authentication failure for bob from 192.168.0.40
Mar 18 18:46:38 nas sshd[20984]: Received disconnect from 192.168.0.40: 11: Shutdown [preauth]

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 37363
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: sftp google authenticator and two factor authentication

Post by *ghisler(Author) » 2019-03-19, 10:02 UTC

Strange, that should work just fine with my plugin. Sorry, no idea what could be wrong. I would need a test account to test it in a debugger. I would only need user name and password but not the google auth code, so I can single step through my code to see why the prompt doesn't work. I don't need the actual login to succeed.
Author of Total Commander
http://www.ghisler.com

BobFx
Junior Member
Junior Member
Posts: 7
Joined: 2019-03-18, 08:33 UTC
Location: Germany

Re: sftp google authenticator and two factor authentication

Post by *BobFx » 2019-03-21, 08:39 UTC

Thank you for your support. I sent you a mail with the connection data.

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 37363
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: sftp google authenticator and two factor authentication

Post by *ghisler(Author) » 2019-03-21, 09:25 UTC

Got it, thanks! I will try it and send you a pre-release plugin via e-mail if I find a solution.
Author of Total Commander
http://www.ghisler.com

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 37363
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: sftp google authenticator and two factor authentication

Post by *ghisler(Author) » 2019-03-21, 11:26 UTC

2BobFx
I get the correct prompts for password and "Verification code:" from both of your servers. It's reversed on the second one. Login succeeds with your scratch codes, but I get an immediate "Session closed" error after logging in.

1. Have you tried to access your second server with my SFTP plugin?
2. Do you get the "Verification code:" prompt?
3. If not, can you check that you really have the latest plugin version 2.30? Just long tap on the plugin name in the home folder of Total Commander and choose "Properties".
Author of Total Commander
http://www.ghisler.com

BobFx
Junior Member
Junior Member
Posts: 7
Joined: 2019-03-18, 08:33 UTC
Location: Germany

Re: sftp google authenticator and two factor authentication

Post by *BobFx » 2019-03-21, 12:08 UTC

I used the latest version that can be downloaded from https://www.ghisler.com/plugins.htm
There is only version 2.20. Where can I get version 2.30?

BobFx
Junior Member
Junior Member
Posts: 7
Joined: 2019-03-18, 08:33 UTC
Location: Germany

Re: sftp google authenticator and two factor authentication

Post by *BobFx » 2019-03-21, 13:44 UTC

<facepalm> sorry,
I just noticed that this thread is about Total Commander on Android. The problems I mentioned are faced to the Windows Version of Total Commander.

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 37363
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: sftp google authenticator and two factor authentication

Post by *ghisler(Author) » 2019-03-22, 10:22 UTC

Oh, that's something completely different. I have tried with your two servers:
1. Both report that they support password authentication and keyboard interactive. Only the latter supports verification codes. Therefore you should disable password authentication on the server. Otherwise TC will try password authentication first.
2. The first server seems to work OK after the failed password authentication: TC first sends the password, and then asks for the verification code
3. The second server doesn't work - in the plugin, it's hard coded to send the password first. This is done so password prompts in other languages also work.

With Linux sshd, you need to change /etc/ssh/ssh_config as follows:
PasswordAuthentication no
ChallengeResponseAuthentication yes
Author of Total Commander
http://www.ghisler.com

BobFx
Junior Member
Junior Member
Posts: 7
Joined: 2019-03-18, 08:33 UTC
Location: Germany

Re: sftp google authenticator and two factor authentication

Post by *BobFx » 2019-03-22, 11:01 UTC

yes, I also thought that's a completly different problem. I just googled for it, found this thread and doesn't noticed the header "Total Commander for Android", sorry again for that.

On the 1. server:
I disabled password authentication. The first time the login doesn't worked until I noticed that I have to save the password in the property dialog of the sftp connection.
If the password isn't saved, then no verification dialog appears after the password prompt. Did you test with a non-saved password?
Nevertheless this solution works well for me.

2. server:
Unfortunately this is an external hosted server and I can't configure PAM to prompt for the password first. So I will contact the adminsitrator, perhaps he can adjust this.

Post Reply