On 4/24/20 10:01 AM, James M. Pulver wrote:
Has anyone ever used X2Go Client (windows, linux, mac) with some sort of MFA that works in SSH? Duo and PortalGuard both support SSH MFA with either a "line client" or easier IMHO an appended password. I was wondering if Duo with the appended code to the password field might work? Also, is there any plans to add a second password field to the clients al la Cisco AnyConnect etc?
We use YubiKey smart cards for our MFA. Load the pkcs11 module into ssh-agent and only accept ssh keys from the smart cards on the remote side. We use IPA with AD trust and users in AD to handle the certificates.
One stumbling block I've run into is x2goclient/libssh not accepting multiple authentication methods via ssh (e.g:
AuthenticationMethods gssapi-with-mic,publickey
to require both GSSAPI (so that Kerberos tickets get forwarded) plus the ssh-key. I believe this was added to libssh a while back but I'm still stuck on EL7 that I don't think has it. Single ssh auth mechanism with multiple PAM prompts should work as Stefan noted.
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/