Page 2 of 3

Re: sftp google authenticator and two factor authentication

Posted: 2018-08-03, 19:52 UTC
by ghisler(Author)
Is there any particular text the library is looking for in the second prompt?
No, it's not - it just looks for "password" in any prompt, and assumes that it asks for the password then. I can try to exclude the above string, but then another server will surely come up with a slightly different request string...

Re: sftp google authenticator and two factor authentication

Posted: 2018-08-05, 21:24 UTC
by Dogora
Well, after playing around for too long, I give up.

I tried the Google Authenticator PAM module and the plugin prompted a second time for the verification code as expected. But, it never logs in. My server logs show the error "invalid verification code".

Then I went back to the other 2fa module, pam_oath.so. However, I used a hex editor to hack it so it prompts 'passward' instead of 'password'. The plugin now asks for the second code showing the hacked prompt. But, it doesn't work either. The server log says 'failed password'.

Every other method I have tried works. The plugin works for you guys, so I understand your position.

Many thanks for all your help. I will revisit this later when I have more time and get tired of working around it.

Re: sftp google authenticator and two factor authentication

Posted: 2018-08-06, 07:00 UTC
by ghisler(Author)
Sorry to hear that you couldn't get it to work! Google Authenticator only works when 3 conditions are met:
1. The seed value is entered correctly
2. The time of both the server and the client are accurate (to about 1 minute)
3. The time zone is set correctly, because Google Authenticator uses UTC (universal time) for the time factor

Re: sftp google authenticator and two factor authentication

Posted: 2018-08-08, 00:52 UTC
by Dogora
Thanks, but I'm good with all that. My server uses NTP and my phone gets its time from the carrier. I'm using andOTP on the phone to generate the codes. Every other method I've tried for SSH or SFTP works, so my TOTP codes are working fine.

Since I just got key file login (pem) to work with the SFTP plugin, I'm good. I can SSH in as needed with 2fa from any terminal program, and SFTP in with the plugin using my key file.

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-18, 08:45 UTC
by BobFx
I couldn't manage to log in with 2fa module.

If I enter username and password the following error appears:

Error: Authentication by password failed

After that a new password dialog prompts, but after entering, another error appears:

Error: Authentication by keyboard-interactive failed


If I use putty I can log in successfully.
This is the putty dialog:

login as: bob
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Verification code:

Any hint what's the problem here?

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-18, 15:08 UTC
by ghisler(Author)
The second prompt for the 2 factor probably looks like a password request, so TC sends the password again instead of asking for the second factor.
Could you try logging in to the SSH server with Putty or other text mode SSH client, and tell me the exact wording of the 2 factor prompt?

Some servers seend to send something like "Please enter the second factor password" or similar nonsense.

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-19, 07:52 UTC
by BobFx
When I log in via Putty the 2 factor prompt is:

Verification code:

These messages I can see in /var/log/auth.log

Mar 18 18:46:18 nas sshd(pam_google_authenticator)[20984]: Invalid verification code
Mar 18 18:46:21 nas sshd[20984]: Failed password for bob from 192.168.0.40 port 23606 ssh2
Mar 18 18:46:36 nas sshd[21333]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.40 user=bob
Mar 18 18:46:38 nas sshd[20984]: error: PAM: Authentication failure for bob from 192.168.0.40
Mar 18 18:46:38 nas sshd[20984]: Received disconnect from 192.168.0.40: 11: Shutdown [preauth]

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-19, 10:02 UTC
by ghisler(Author)
Strange, that should work just fine with my plugin. Sorry, no idea what could be wrong. I would need a test account to test it in a debugger. I would only need user name and password but not the google auth code, so I can single step through my code to see why the prompt doesn't work. I don't need the actual login to succeed.

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-21, 08:39 UTC
by BobFx
Thank you for your support. I sent you a mail with the connection data.

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-21, 09:25 UTC
by ghisler(Author)
Got it, thanks! I will try it and send you a pre-release plugin via e-mail if I find a solution.

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-21, 11:26 UTC
by ghisler(Author)
2BobFx
I get the correct prompts for password and "Verification code:" from both of your servers. It's reversed on the second one. Login succeeds with your scratch codes, but I get an immediate "Session closed" error after logging in.

1. Have you tried to access your second server with my SFTP plugin?
2. Do you get the "Verification code:" prompt?
3. If not, can you check that you really have the latest plugin version 2.30? Just long tap on the plugin name in the home folder of Total Commander and choose "Properties".

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-21, 12:08 UTC
by BobFx
I used the latest version that can be downloaded from https://www.ghisler.com/plugins.htm
There is only version 2.20. Where can I get version 2.30?

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-21, 13:44 UTC
by BobFx
<facepalm> sorry,
I just noticed that this thread is about Total Commander on Android. The problems I mentioned are faced to the Windows Version of Total Commander.

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-22, 10:22 UTC
by ghisler(Author)
Oh, that's something completely different. I have tried with your two servers:
1. Both report that they support password authentication and keyboard interactive. Only the latter supports verification codes. Therefore you should disable password authentication on the server. Otherwise TC will try password authentication first.
2. The first server seems to work OK after the failed password authentication: TC first sends the password, and then asks for the verification code
3. The second server doesn't work - in the plugin, it's hard coded to send the password first. This is done so password prompts in other languages also work.

With Linux sshd, you need to change /etc/ssh/ssh_config as follows:
PasswordAuthentication no
ChallengeResponseAuthentication yes

Re: sftp google authenticator and two factor authentication

Posted: 2019-03-22, 11:01 UTC
by BobFx
yes, I also thought that's a completly different problem. I just googled for it, found this thread and doesn't noticed the header "Total Commander for Android", sorry again for that.

On the 1. server:
I disabled password authentication. The first time the login doesn't worked until I noticed that I have to save the password in the property dialog of the sftp connection.
If the password isn't saved, then no verification dialog appears after the password prompt. Did you test with a non-saved password?
Nevertheless this solution works well for me.

2. server:
Unfortunately this is an external hosted server and I can't configure PAM to prompt for the password first. So I will contact the adminsitrator, perhaps he can adjust this.