[X2Go-User] MFA support in X2go?

Orion Poplawski orion at nwra.com
Sat Aug 26 01:58:45 CEST 2023 

On 8/23/23 12:22, Grigory Shamov wrote:
> Hi Stefan,
> 
> Thank you very much for your response! Yes, it looks like our SSH server "interactive" response for Yubikey/Duo is not being recognized by the current X2Go clients.
> The kind of response that looks like this:
> 
> ====
> (user at host) Duo two-factor login for user:
> 
> Enter a passcode or select one of the following options:
> 
> Passcode:
> ====
> 
> We are running an HPC machine here, with user authentication coming from a National-wide HPC organization, that chose Duo for MFA. We cannot easily just pick a random 2nd factor vendor.
> 
> The related common SSH/SFTP/SCP GUI clients like PuTTY and and MobaXterm and FileZilla do not seem to have this issue, at least in recent versions. (I just had a user that out of exasperation tried to run X2go over an SSH client created by Putty which is of course impossible) .
> 

I think the main difference between x2goclient and at least putty is 
that x2goclient is managing the ssh interaction and feeding the prompts 
as needed.  putty is simply presenting the prompts to the user and 
allowing them to interact with them.  I'm not sure x2goclient has any 
other way to know that the connection is waiting for more authentication 
input.

x2go client has the following known prompts:

const QString SshMasterConnection::challenge_auth_code_prompts_[] = {
   "Verification code:",            // GA 
(http://github.com/google/google-authenticator)
   "One-time password (OATH) for",  // OATH 
(http://www.nongnu.org/oath-toolkit/pam_oath.html)
   "passcode:",                     // MOTP    (http://motp.sourceforge.net)
   "Enter PASSCODE:",               // SecurID
   "YubiKey for"                    // YubiKey 
(https://en.wikipedia.org/wiki/YubiKey)
};

which is close.  We could either add "Passcode:" for Duo, or make the 
comparison case insensitive.

-- 
Orion Poplawski
he/him/his  - surely the least important thing about me
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3847 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.x2go.org/pipermail/x2go-user/attachments/20230825/35f18c38/attachment.bin>

More information about the x2go-user mailing list