HI All,
Is there any X2go client around that would support connecting to SSH with a multi-factor auth like Duo or Yubikey enabled?
-- Grigory Shamov Site Lead / HPC Specialist University of Manitoba and DRI Alliance Canada
On 5/25/23 14:54, Grigory Shamov wrote:
HI All,
Is there any X2go client around that would support connecting to SSH with a multi-factor auth like Duo or Yubikey enabled?
We enforce MFA with X2Go and YKs either using ssh-agent with PIV certificates or with password plus OTP. Current x2goclient and libssh combo is able to handle the OTP prompt.
-- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
Am 25.05.23 um 22:54 schrieb Grigory Shamov:
HI All,
Is there any X2go client around that would support connecting to SSH with a multi-factor auth like Duo or Yubikey enabled?
The stock X2GoClient already has built-in support for several MFA tools.
"Verification code:", // GA (http://github.com/google/google-authenticator) "One-time password (OATH) for", // OATH (http://www.nongnu.org/oath-toolkit/pam_oath.html) "passcode:", // MOTP (http://motp.sourceforge.net) "Enter PASSCODE:", // SecurID "YubiKey for" // YubiKey (https://en.wikipedia.org/wiki/YubiKey)
I have successfully used the first two myself, and we have customers using this as well. The neat thing about the first two is that they are free and don't require a hardware token - an free app on a Smartphone is enough. Also note that even though the first one is named after Google, it does not require a Google account, nor does it, to my knowledge, "phone home" to Google. Also, you can use any generic TOTP generator on the Smartphone side for both, you do not have to use the Google Authenticator app on the smartphone side just because you're using the Google Authenticator plugin on the server side. In fact, due to known security issues with it, I would recommend against using the Google Authenticator App on the smartphone side. However, the server-side plugin is really neat, IMO, and I would prefer it over pam_oath. It has some nice features like providing you with a bunch of back-up, emergency codes that you can print out and store somewhere safe.
The one thing to remember is that you do not configure this in X2Go, but in SSH/PAM, as this is what X2Go uses to connect.
If you can log in via SSH using your MFA key/token, you will also be able to use it for X2Go. There will be an additional Pop-Up after you've entered username and password where you need to enter/paste the one-time password.
If X2GoClient doesn't show the popup, it is because the prompt (again, you can test/verify this via commandline SSH) doesn't match any of the known prompts listed above.
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
Hi Stefan,
Thank you very much for your response! Yes, it looks like our SSH server "interactive" response for Yubikey/Duo is not being recognized by the current X2Go clients. The kind of response that looks like this:
==== (user@host) Duo two-factor login for user:
Enter a passcode or select one of the following options:
Passcode:
We are running an HPC machine here, with user authentication coming from a National-wide HPC organization, that chose Duo for MFA. We cannot easily just pick a random 2nd factor vendor.
The related common SSH/SFTP/SCP GUI clients like PuTTY and and MobaXterm and FileZilla do not seem to have this issue, at least in recent versions. (I just had a user that out of exasperation tried to run X2go over an SSH client created by Putty which is of course impossible) .
-- Grigory Shamov Site Lead / HPC Specialist University of Manitoba and DRI Alliance Canada
On 2023-06-01, 1:54 AM, "x2go-user on behalf of Stefan Baur" <x2go-user-bounces@lists.x2go.org <mailto:x2go-user-bounces@lists.x2go.org> on behalf of X2Go-ML-1@baur-itcs.de <mailto:X2Go-ML-1@baur-itcs.de>> wrote:
Caution: This message was sent from outside the University of Manitoba.
Am 25.05.23 um 22:54 schrieb Grigory Shamov:
HI All,
Is there any X2go client around that would support connecting to SSH with a multi-factor auth like Duo or Yubikey enabled?
The stock X2GoClient already has built-in support for several MFA tools.
"Verification code:", // GA (http://github.com/google/google-authenticator <http://github.com/google/google-authenticator>) "One-time password (OATH) for", // OATH (http://www.nongnu.org/oath-toolkit/pam_oath.html <http://www.nongnu.org/oath-toolkit/pam_oath.html>) "passcode:", // MOTP (http://motp.sourceforge.net <http://motp.sourceforge.net>) "Enter PASSCODE:", // SecurID "YubiKey for" // YubiKey (https://en.wikipedia.org/wiki/YubiKey <https://en.wikipedia.org/wiki/YubiKey>)
I have successfully used the first two myself, and we have customers using this as well. The neat thing about the first two is that they are free and don't require a hardware token - an free app on a Smartphone is enough. Also note that even though the first one is named after Google, it does not require a Google account, nor does it, to my knowledge, "phone home" to Google. Also, you can use any generic TOTP generator on the Smartphone side for both, you do not have to use the Google Authenticator app on the smartphone side just because you're using the Google Authenticator plugin on the server side. In fact, due to known security issues with it, I would recommend against using the Google Authenticator App on the smartphone side. However, the server-side plugin is really neat, IMO, and I would prefer it over pam_oath. It has some nice features like providing you with a bunch of back-up, emergency codes that you can print out and store somewhere safe.
The one thing to remember is that you do not configure this in X2Go, but in SSH/PAM, as this is what X2Go uses to connect.
If you can log in via SSH using your MFA key/token, you will also be able to use it for X2Go. There will be an additional Pop-Up after you've entered username and password where you need to enter/paste the one-time password.
If X2GoClient doesn't show the popup, it is because the prompt (again, you can test/verify this via commandline SSH) doesn't match any of the known prompts listed above.
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
x2go-user mailing list x2go-user@lists.x2go.org <mailto:x2go-user@lists.x2go.org> https://lists.x2go.org/listinfo/x2go-user <https://lists.x2go.org/listinfo/x2go-user>
I mean, would it not be better, more general for the X2go client to parse ANY second factor response, as other SSH clients managed somehow to do, rather than assume this or that particular second factor to parse?
-- Grigory Shamov Site Lead / HPC Specialist University of Manitoba and DRI Alliance Canada
On 2023-08-23, 1:23 PM, "x2go-user on behalf of Grigory Shamov" <x2go-user-bounces@lists.x2go.org <mailto:x2go-user-bounces@lists.x2go.org> on behalf of grigory.shamov@umanitoba.ca <mailto:grigory.shamov@umanitoba.ca>> wrote:
Caution: This message was sent from outside the University of Manitoba.
Hi Stefan,
Thank you very much for your response! Yes, it looks like our SSH server "interactive" response for Yubikey/Duo is not being recognized by the current X2Go clients. The kind of response that looks like this:
==== (user@host) Duo two-factor login for user:
Enter a passcode or select one of the following options:
Passcode:
We are running an HPC machine here, with user authentication coming from a National-wide HPC organization, that chose Duo for MFA. We cannot easily just pick a random 2nd factor vendor.
The related common SSH/SFTP/SCP GUI clients like PuTTY and and MobaXterm and FileZilla do not seem to have this issue, at least in recent versions. (I just had a user that out of exasperation tried to run X2go over an SSH client created by Putty which is of course impossible) .
-- Grigory Shamov Site Lead / HPC Specialist University of Manitoba and DRI Alliance Canada
On 2023-06-01, 1:54 AM, "x2go-user on behalf of Stefan Baur" <x2go-user-bounces@lists.x2go.org <mailto:x2go-user-bounces@lists.x2go.org> <mailto:x2go-user-bounces@lists.x2go.org <mailto:x2go-user-bounces@lists.x2go.org>> on behalf of X2Go-ML-1@baur-itcs.de <mailto:X2Go-ML-1@baur-itcs.de> <mailto:X2Go-ML-1@baur-itcs.de <mailto:X2Go-ML-1@baur-itcs.de>>> wrote:
Caution: This message was sent from outside the University of Manitoba.
Am 25.05.23 um 22:54 schrieb Grigory Shamov:
HI All,
Is there any X2go client around that would support connecting to SSH with a multi-factor auth like Duo or Yubikey enabled?
The stock X2GoClient already has built-in support for several MFA tools.
"Verification code:", // GA (http://github.com/google/google-authenticator <http://github.com/google/google-authenticator> <http://github.com/google/google-authenticator> <http://github.com/google/google-authenticator>>) "One-time password (OATH) for", // OATH (http://www.nongnu.org/oath-toolkit/pam_oath.html <http://www.nongnu.org/oath-toolkit/pam_oath.html> <http://www.nongnu.org/oath-toolkit/pam_oath.html> <http://www.nongnu.org/oath-toolkit/pam_oath.html>>) "passcode:", // MOTP (http://motp.sourceforge.net <http://motp.sourceforge.net> <http://motp.sourceforge.net> <http://motp.sourceforge.net>>) "Enter PASSCODE:", // SecurID "YubiKey for" // YubiKey (https://en.wikipedia.org/wiki/YubiKey <https://en.wikipedia.org/wiki/YubiKey> <https://en.wikipedia.org/wiki/YubiKey> <https://en.wikipedia.org/wiki/YubiKey>>)
I have successfully used the first two myself, and we have customers using this as well. The neat thing about the first two is that they are free and don't require a hardware token - an free app on a Smartphone is enough. Also note that even though the first one is named after Google, it does not require a Google account, nor does it, to my knowledge, "phone home" to Google. Also, you can use any generic TOTP generator on the Smartphone side for both, you do not have to use the Google Authenticator app on the smartphone side just because you're using the Google Authenticator plugin on the server side. In fact, due to known security issues with it, I would recommend against using the Google Authenticator App on the smartphone side. However, the server-side plugin is really neat, IMO, and I would prefer it over pam_oath. It has some nice features like providing you with a bunch of back-up, emergency codes that you can print out and store somewhere safe.
The one thing to remember is that you do not configure this in X2Go, but in SSH/PAM, as this is what X2Go uses to connect.
If you can log in via SSH using your MFA key/token, you will also be able to use it for X2Go. There will be an additional Pop-Up after you've entered username and password where you need to enter/paste the one-time password.
If X2GoClient doesn't show the popup, it is because the prompt (again, you can test/verify this via commandline SSH) doesn't match any of the known prompts listed above.
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
x2go-user mailing list x2go-user@lists.x2go.org <mailto:x2go-user@lists.x2go.org> <mailto:x2go-user@lists.x2go.org <mailto:x2go-user@lists.x2go.org>> https://lists.x2go.org/listinfo/x2go-user <https://lists.x2go.org/listinfo/x2go-user> <https://lists.x2go.org/listinfo/x2go-user> <https://lists.x2go.org/listinfo/x2go-user>>
x2go-user mailing list x2go-user@lists.x2go.org <mailto:x2go-user@lists.x2go.org> https://lists.x2go.org/listinfo/x2go-user <https://lists.x2go.org/listinfo/x2go-user>
On 8/23/23 12:22, Grigory Shamov wrote:
Hi Stefan,
Thank you very much for your response! Yes, it looks like our SSH server "interactive" response for Yubikey/Duo is not being recognized by the current X2Go clients. The kind of response that looks like this:
==== (user@host) Duo two-factor login for user:
Enter a passcode or select one of the following options:
Passcode:
We are running an HPC machine here, with user authentication coming from a National-wide HPC organization, that chose Duo for MFA. We cannot easily just pick a random 2nd factor vendor.
The related common SSH/SFTP/SCP GUI clients like PuTTY and and MobaXterm and FileZilla do not seem to have this issue, at least in recent versions. (I just had a user that out of exasperation tried to run X2go over an SSH client created by Putty which is of course impossible) .
I think the main difference between x2goclient and at least putty is that x2goclient is managing the ssh interaction and feeding the prompts as needed. putty is simply presenting the prompts to the user and allowing them to interact with them. I'm not sure x2goclient has any other way to know that the connection is waiting for more authentication input.
x2go client has the following known prompts:
const QString SshMasterConnection::challenge_auth_code_prompts_[] = { "Verification code:", // GA (http://github.com/google/google-authenticator) "One-time password (OATH) for", // OATH (http://www.nongnu.org/oath-toolkit/pam_oath.html) "passcode:", // MOTP (http://motp.sourceforge.net) "Enter PASSCODE:", // SecurID "YubiKey for" // YubiKey (https://en.wikipedia.org/wiki/YubiKey) };
which is close. We could either add "Passcode:" for Duo, or make the comparison case insensitive.
-- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
There are so many prompts outside that we cannot include them all. AFAIK there's generic support for unknown prompts that pops up a window showing you the prompt (or generally spoken: the output as received from the remote side) and letting you enter the matching response. I am not sure when this comes up and how to trigger it. I have seen it a few times when testing with a custom MFA at a customer but I never managed to successfully use it. I don't know why. Maybe some research is required here.
I would suggest to test this mechanism and make it somehow configurable. We could e.g. add a configuration item where you can specify the expected prompt and how to respond to it. Maybe also offer a global configuration where you can hold the expected prompts for multiple MFAs so you do not have to configure that on a per-connection basis.
Uli
On Sat, Aug 26, 2023 at 1:59 AM Orion Poplawski <orion@nwra.com> wrote:
On 8/23/23 12:22, Grigory Shamov wrote:
Hi Stefan,
Thank you very much for your response! Yes, it looks like our SSH server "interactive" response for Yubikey/Duo is not being recognized by the current X2Go clients. The kind of response that looks like this:
==== (user@host) Duo two-factor login for user:
Enter a passcode or select one of the following options:
Passcode:
We are running an HPC machine here, with user authentication coming from a National-wide HPC organization, that chose Duo for MFA. We cannot easily just pick a random 2nd factor vendor.
The related common SSH/SFTP/SCP GUI clients like PuTTY and and MobaXterm and FileZilla do not seem to have this issue, at least in recent versions. (I just had a user that out of exasperation tried to run X2go over an SSH client created by Putty which is of course impossible) .
I think the main difference between x2goclient and at least putty is that x2goclient is managing the ssh interaction and feeding the prompts as needed. putty is simply presenting the prompts to the user and allowing them to interact with them. I'm not sure x2goclient has any other way to know that the connection is waiting for more authentication input.
x2go client has the following known prompts:
const QString SshMasterConnection::challenge_auth_code_prompts_[] = { "Verification code:", // GA (http://github.com/google/google-authenticator) "One-time password (OATH) for", // OATH (http://www.nongnu.org/oath-toolkit/pam_oath.html) "passcode:", // MOTP (http://motp.sourceforge.net) "Enter PASSCODE:", // SecurID "YubiKey for" // YubiKey (https://en.wikipedia.org/wiki/YubiKey) };
which is close. We could either add "Passcode:" for Duo, or make the comparison case insensitive.
-- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
-
Grigory Shamov -
Grigory Shamov
-
Orion Poplawski -
Stefan Baur -
Ulrich Sibiller