[X2Go-User] X2Go, MFA and Duo?
Orion Poplawski
orion at nwra.com
Tue Apr 28 02:17:09 CEST 2020
On 4/24/20 10:01 AM, James M. Pulver wrote:
> Has anyone ever used X2Go Client (windows, linux, mac) with some sort of MFA that works in SSH? Duo and PortalGuard both support SSH MFA with either a "line client" or easier IMHO an appended password. I was wondering if Duo with the appended code to the password field might work? Also, is there any plans to add a second password field to the clients al la Cisco AnyConnect etc?
We use YubiKey smart cards for our MFA. Load the pkcs11 module into
ssh-agent and only accept ssh keys from the smart cards on the remote
side. We use IPA with AD trust and users in AD to handle the certificates.
One stumbling block I've run into is x2goclient/libssh not accepting
multiple authentication methods via ssh (e.g:
AuthenticationMethods gssapi-with-mic,publickey
to require both GSSAPI (so that Kerberos tickets get forwarded) plus the
ssh-key. I believe this was added to libssh a while back but I'm still
stuck on EL7 that I don't think has it. Single ssh auth mechanism with
multiple PAM prompts should work as Stefan noted.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.x2go.org/pipermail/x2go-user/attachments/20200427/754d7fe3/attachment.bin>
More information about the x2go-user
mailing list