[X2Go-User] X2Go, MFA and Duo?

J.Witvliet at mindef.nl J.Witvliet at mindef.nl
Fri Apr 24 20:12:07 CEST 2020 

One obviously missing, is a SmartCard, loaded with SSL keys & certificates, that should be reachable through P11 (or pkcs11) library...


From: "Stefan Baur" <X2Go-ML-1 at baur-itcs.de<mailto:X2Go-ML-1 at baur-itcs.de>>
Date: Friday, 24 April 2020 at 18:44:51
To: "x2go-user at lists.x2go.org" <x2go-user at lists.x2go.org<mailto:x2go-user at lists.x2go.org>>
Subject: Re: [X2Go-User] X2Go, MFA and Duo?

Am 24.04.20 um 18:01 schrieb James M. Pulver:
> Has anyone ever used X2Go Client (windows, linux, mac) with some sort of MFA that works in SSH? Duo and PortalGuard both support SSH MFA with either a "line client" or easier IMHO an appended password. I was wondering if Duo with the appended code to the password field might work? Also, is there any plans to add a second password field to the clients al la Cisco AnyConnect etc?

X2GoClient has out-of-the-box support for several 2FA solutions:

<https://code.x2go.org/gitweb?p=x2goclient.git;a=blob;f=src/sshmasterconnection.cpp;h=8b59fe79f275e83b34e4bfb038dd9318b78389c1;hb=HEAD#l52>

  53   "Verification code:",            // GA
(http://github.com/google/google-authenticator)
  54   "One-time password (OATH) for",  // OATH
(http://www.nongnu.org/oath-toolkit/pam_oath.html)
  55   "passcode:",                     // MOTP
(http://motp.sourceforge.net)
  56   "Enter PASSCODE:",               // SecurID
  57   "YubiKey for"                    // YubiKey
(https://en.wikipedia.org/wiki/YubiKey)

If Duo needs an appended code, it should work out of the box as well; if
not, it will need to use either one of the prompts above to work out of
the box, or one unique to Duo that we can add to a future client release.

Frankly, I don't see a reason for the hype around Duo - what does it do
that any of the established 2FA solutions can't do?
When we looked at that after a customer had asked us about it, all it
seemed to do was add a single point of failure, as it needed to "phone
home" to a central Duo server (not under the customer's control) before
being able to grant access.  Block/sabotage that connection and you've
essentially DoS'ed the system.
Solutions based on Google Authenticator, or more generally, OATH, need
no such external connection.  I would assume the same goes for MOTP,
YubiKey and SecureID.
My personal favorite at the moment is Google Authenticator, which,
despite what its name might suggest, does not "phone home" to Google.
And you don't need to run the actual Google-Authenticator-App on your
phone, either - any open source OTP app that supports TOTP OATH will do.

Not sure what Cisco AnyConnect does or why we should add a second
password field on the default login screen - that doesn't seem to make
sense.  All that would do is confuse users that don't use 2FA.
And we don't know if a server uses 2FA or not until after we've provided
a username and password to it, so there's no way of determining whether
or not we should present a field for the 2FA code on the login screen.
Hence, the popup for it.

-Stefan

--
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
_______________________________________________
x2go-user mailing list
x2go-user at lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.x2go.org/pipermail/x2go-user/attachments/20200424/5633f8fe/attachment.html>

More information about the x2go-user mailing list