On 29.06.2016 07:32 PM, Daniel Lo Nigro wrote:
My employer use two-factor authentication via Yubikey. Whenever I SSH to my development server, I use Kerberos to authenticate, and then it prompts for a Yubikey or Duo code. If I try to connect via the X2Go client, I get a message like this:
Authentication failed. Check your GSSApi configuration or choose another authentication method.
Checking the logs on the server, it looks like Kerberos auth is successful, but then X2Go is disconnecting once it receives the keyboard-interactive auth request.
I think it's either Kerberos or nothing. (Or normal keyboard-interactive/2FA.)
I managed to get it working using a super hacky method: I connect to my server via my regular SSH client, and forward some random port (eg. 1234) to localhost:22. Then I connect to localhost:1234 in X2Go, essentially tunneling a new SSH connection over the existing SSH connection. The server is configured to allow local connections to bypass two-factor auth, so this works around the issue in X2Go. It seems silly to tunnel SSH over SSH though.
It kinda is, but that's probably the only way you'll get it to work currently...
Any ideas on how to get this working properly with X2Go? It looks like Paramiko supports this configuration: https://github.com/paramiko/paramiko/pull/467
If Paramiko supports it and PyHoca does, too, you'll might give it a try, but I wouldn't count on it.
Making this work is not trivial because it requires multiple auth sequences against (potentially) different servers.
(Btw.: did we talk on IRC some time back?)
Mihai