Subject: Re: keyboard-interactive login mode for 2-factor authentication

Re: keyboard-interactive login mode for 2-factor authentication

From: Will Cosgrove <will_at_panic.com>
Date: Mon, 20 May 2019 10:52:45 -0700

Hi Alan,
Unfortunately, we’d need a lot more information in this report (and possibly a test server) to see what is happening conclusively. I suspect the client application, not the library, needs to be updated to handle the waterfall behavior of 2FA/keyboard interactive in the same way as OpenSSH for maximum capability. In the applications I develop we fully support 2FA but the waterfall is fairly complicated to maintain compatibility with OpenSSH.

Cheers,

Will

> On May 20, 2019, at 10:35 AM, Alan Nichols <alan.nichols_at_ni.com> wrote:
>
> Hello libssh developers,
>
> I recently ran into an obscure problem when using libssh2 to interact with an openssh client. In resolving the issue, the support staff for the client informed me that “libssh2's implementation of keyboard-interactive logins does not work properly when compared to the way openssh client handles keyboard-interactive.” The support staff implemented a workaround, which they explained to me as follows:
>
> “In order to implement 2FA (two factor auth), sshd_config was configured to use publickey and keyboard-interactive
> as the authentication methods with ChallengeRepsonseAuthentication enabled.
> sshd the publickey part, then passes the remaining authentication logic to PAM (keyboard-interactive).
> PAM for sshd is configured to use google-authenticator if it has been configured for the user.
>
> libssh2 does not properly implement keyboard-interactive which is what was causing your failures.
> To work around this, sshd config was reverted to the original config of using just publickey auth.”
>
> This is fine with me and everything is working as I’d expect. However, I may in the future run up against customers who have a similar problem on their own systems and whose admins may be restricted by company policy from making similar changes to the config files. A better solution would be to have better 2-factor authentication compatibility between libssh2 and openssh.
>
> Can you comment on this? Do you expect this compatibility problem to be resolved in the future and if so, when?
>
> Many thanks,
>
> Alan Nichols
> Development Engineer
> AWR Group, National Instruments
> 1017 W. Glen Oaks Lane, Suite 106
> Mequon, WI 53092
> P: 1.262.241.2383
> F: 1.262.240.0294
> E: alan.nichols_at_ni.com <mailto:alan.nichols_at_ni.com>
> http://www.ni.com/awr <http://www.ni.com/awr>
>
>
> _______________________________________________
> libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel <https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel>

_______________________________________________
libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2019-05-20