Hi Nick,
 
Thanks for you mail. I checked the page. I have already set up a working two-factor-authentication, it isn't based on the Radius module but on RSA's own PAM module. It works with normal SSH nicely, but it has problems with x2goclient. I sent a post earlier: it seems that the authentication doesn't directed to the RSA module, but it is somewhat forced to use the "password" method just like when an ssh connection is initiated using the  "-o PreferredAuthentications=password" option.
 
Swizzly
 
Gesendet: Freitag, 13. März 2015 um 21:40 Uhr
Von: "Nick Owen" <nowen@wikidsystems.com>
An: "Mihai Moldovan" <ionic@ionic.de>
Cc: "swizz ly" <swizz.ly@gmx.ch>, "x2go-user@lists.x2go.org" <x2go-user@lists.x2go.org>
Betreff: Re: [X2Go-User] X2Go Two-factor-authentication with SecurID
I can't speak to the RSA pam plugin, but I know that X2Go works with
OTPs using pam-radius. You can see this:
http://wiki.x2go.org/doku.php/doc:deployment-stories:wikid.

(Better to use the standard protocol for easier switching too.)

HTH,

Nick

On Fri, Mar 13, 2015 at 12:12 PM, Mihai Moldovan <ionic@ionic.de> wrote:
> Hi,
>
>
> On 13.03.2015 02:48 PM, swizz ly wrote:
>> [...]
>> In case of the x2goclient-cli Perl script, that comes with the
>> x2goclient source, I found, that for a single x2go connection several
>> (3-4x?) SSH connections are made in the background. In case of SecurID
>> RSA, only the first SSH connection can work with a given PASSCODE, it
>> is accepted only at the first SSH connection.
>> Perhaps the normal x2goclient behaves the same way: it tries to
>> connect using the same PASSCODE several times, and this could be the
>> cause of the problem.
>
> Well, the answer is a little bit complicated.
>
> Yes, it behaves exactly the same way. Several programs are started
> server side.
>
> This includes session discovery and of course starting a new session or
> resuming it.
>
> For that, a new connection is established via libssh. This connection is
> authenticated by any means provided: password, key, or
> keyboard-interactive (i.e., SecurID.)
>
> This said, libssh uses channels for spawning new commands/shells. These
> channels do NO authentication but use the established main connection.
>
> X2Go Client should only open up one connection and then use multiple
> channels over the already authenticated connection for doing its work.
>
> Is it really not and instead opening up multiple connections?
>
>
>
> Mihai
>
>
> _______________________________________________
> x2go-user mailing list
> x2go-user@lists.x2go.org
> http://lists.x2go.org/listinfo/x2go-user



--
Nick Owen -- WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode.net
Get our low-volume newsletter - Notices, updates : http://eepurl.com/zzUeP