[X2Go-User] x2go with SSH two-factor authentication

[Mihai Moldovan]

On 29.06.2016 07:32 PM, Daniel Lo Nigro wrote:
> My employer use two-factor authentication via Yubikey. Whenever I SSH to my
> development server, I use Kerberos to authenticate, and then it prompts for a
> Yubikey or Duo code. If I try to connect via the X2Go client, I get a message
> like this:
> 
> Authentication failed.
> Check your GSSApi configuration or choose another authentication method.
> 
> Checking the logs on the server, it looks like Kerberos auth is successful, but
> then X2Go is disconnecting once it receives the keyboard-interactive auth request.

I think it's either Kerberos or nothing. (Or normal keyboard-interactive/2FA.)


> I managed to get it working using a super hacky method: I connect to my server
> via my regular SSH client, and forward some random port (eg. 1234) to
> localhost:22. Then I connect to localhost:1234 in X2Go, essentially tunneling a
> new SSH connection over the existing SSH connection. The server is configured to
> allow local connections to bypass two-factor auth, so this works around the
> issue in X2Go. It seems silly to tunnel SSH over SSH though.

It kinda is, but that's probably the only way you'll get it to work currently...


> Any ideas on how to get this working properly with X2Go? It looks like Paramiko
> supports this configuration: https://github.com/paramiko/paramiko/pull/467

If Paramiko supports it and PyHoca does, too, you'll might give it a try, but I
wouldn't count on it.

Making this work is not trivial because it requires multiple auth sequences
against (potentially) different servers.

(Btw.: did we talk on IRC some time back?)



Mihai

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-user/attachments/20160717/8c847b88/attachment.pgp>