[X2Go-User] MFA support in X2go?

Wed Aug 23 20:22:59 CEST 2023

Hi Stefan,

Thank you very much for your response! Yes, it looks like our SSH server "interactive" response for Yubikey/Duo is not being recognized by the current X2Go clients.
The kind of response that looks like this:

====
(user at host) Duo two-factor login for user:

Enter a passcode or select one of the following options:

Passcode:
====

We are running an HPC machine here, with user authentication coming from a National-wide HPC organization, that chose Duo for MFA. We cannot easily just pick a random 2nd factor vendor.

The related common SSH/SFTP/SCP GUI clients like PuTTY and and MobaXterm and FileZilla do not seem to have this issue, at least in recent versions. (I just had a user that out of exasperation tried to run X2go over an SSH client created by Putty which is of course impossible) .

-- 
Grigory Shamov 
Site Lead / HPC Specialist 
University of Manitoba and DRI Alliance Canada 

On 2023-06-01, 1:54 AM, "x2go-user on behalf of Stefan Baur" <x2go-user-bounces at lists.x2go.org <mailto:x2go-user-bounces at lists.x2go.org> on behalf of X2Go-ML-1 at baur-itcs.de <mailto:X2Go-ML-1 at baur-itcs.de>> wrote:

********************************************************
Caution: This message was sent from outside the University of Manitoba.
********************************************************

Am 25.05.23 um 22:54 schrieb Grigory Shamov:
> HI All,
> 
> Is there any X2go client around that would support connecting to SSH with a multi-factor auth like Duo or Yubikey enabled?

The stock X2GoClient already has built-in support for several MFA tools.

"Verification code:", // GA 
(http://github.com/google/google-authenticator <http://github.com/google/google-authenticator>)
"One-time password (OATH) for", // OATH 
(http://www.nongnu.org/oath-toolkit/pam_oath.html <http://www.nongnu.org/oath-toolkit/pam_oath.html>)
"passcode:", // MOTP (http://motp.sourceforge.net <http://motp.sourceforge.net>)
"Enter PASSCODE:", // SecurID
"YubiKey for" // YubiKey 
(https://en.wikipedia.org/wiki/YubiKey <https://en.wikipedia.org/wiki/YubiKey>)

I have successfully used the first two myself, and we have customers 
using this as well.
The neat thing about the first two is that they are free and don't 
require a hardware token - an free app on a Smartphone is enough.
Also note that even though the first one is named after Google, it does 
not require a Google account, nor does it, to my knowledge, "phone home" 
to Google. Also, you can use any generic TOTP generator on the 
Smartphone side for both, you do not have to use the Google 
Authenticator app on the smartphone side just because you're using the 
Google Authenticator plugin on the server side.
In fact, due to known security issues with it, I would recommend against 
using the Google Authenticator App on the smartphone side.
However, the server-side plugin is really neat, IMO, and I would prefer 
it over pam_oath. It has some nice features like providing you with a 
bunch of back-up, emergency codes that you can print out and store 
somewhere safe.

The one thing to remember is that you do not configure this in X2Go, but 
in SSH/PAM, as this is what X2Go uses to connect.

If you can log in via SSH using your MFA key/token, you will also be 
able to use it for X2Go. There will be an additional Pop-Up after you've 
entered username and password where you need to enter/paste the one-time 
password.

If X2GoClient doesn't show the popup, it is because the prompt (again, 
you can test/verify this via commandline SSH) doesn't match any of the 
known prompts listed above.

Kind Regards,
Stefan Baur

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
_______________________________________________
x2go-user mailing list
x2go-user at lists.x2go.org <mailto:x2go-user at lists.x2go.org>
https://lists.x2go.org/listinfo/x2go-user <https://lists.x2go.org/listinfo/x2go-user>