Comments (11)
@osterman IMHO, this issue is not a question as you labelled it, but rather a "bug" - easy to replicate, as per my instructions above.
from bastion.
@osterman I'm happy to confirm the above change has fixed the problem.
I can now successfully sftp in and I can also execute a remote command via ssh - getting the "Verification code" prompt and when I answer it, I'm in.
Thank you guys for fixing this.
from bastion.
@marji I suspect it could be related to the motd
message. Since scp
is a binary protocol, the output from the motd
could be messing with it. Can you try disabling that, or exploring that vane to see how far it gets you?
from bastion.
The motd
I am referring to is:
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored for any reason.
from bastion.
Btw, you're invited to join our slack team here: https://slack.cloudposse.com where you'll get direct access to me and the team.
from bastion.
On further reflection, this will not work with Google Authenticator. SFTP is a non-interactive protocol. Itβs implemented on top of SSH. MFA prompts are not an official spec and there is no standard. Thus no standard way for clients to handle it. It you use more advanced client like like cyberduck, maybe it will work.
That said, SCP will work with non-interactive push notifications which is the way we used it. This is supported by duo. Duo is a much, much better approach. It also supports geofencing and a multitude of other security enhancements, plus the totp seed is not stored on the server. The totp seed will let anyone guess the sequence if compromised.
https://help.duo.com/s/article/2102?language=en_US
from bastion.
@marji I'm going to close this issue. Please re-open if you can find any new information that indicates Google Authenticator is compatible with scp
.
from bastion.
@osterman I tracked the problem with sftp not working with google-authenticator to this standard output terminal condition in /rootfs/usr/bin/setup-google-authenticator
.
While debugging this, I realised this condition is also breaking execution of ssh connections with remote command specified:
ssh root@localhost -p 1234 'echo hello'
Verification code:
MFA setup required
When I compile the docker image without this condition, my problem is gone, sftp works.
Could you please remove it or adjust it to let sftp and ssh with remote command pass through?
from bastion.
@marji - aha, I see! yes, this seems like it could be easily fixed.
from bastion.
@marji please give it another shot. We moved the conditional inside the block to check if it's been previously initialized. If you want to disable MFA altogether for scp, I don't recommend it - but if you want to open a PR for it, we can consider it.
from bastion.
Thanks @marji for letting us know! Happy we got this working. =)
from bastion.
Related Issues (20)
- Latest Tag Won't Start HOT 5
- Duo Does work with latest build HOT 1
- PAM: Module is unknown for root from <IP> HOT 5
- Weird issue re: failed logins HOT 14
- Possibly consider disabling this line by default HOT 3
- chsh: PAM: Authentication failure HOT 6
- ansible fails on bastion HOT 2
- Is there a way to enable transparent ssh tunneling? HOT 3
- Jump host not working HOT 1
- PAM: Error in service module for <username> from <ip> HOT 1
- Documentation outdated. HOT 2
- Is it possible to reset the MFA for a user? HOT 1
- Intermittently the sshd process errors with "Privilege separation user sshd does not exist" HOT 1
- Project abandoned? HOT 1
- SLACK_FATAL_ERRORS does not actually do anything in sshrc
- Slack Notification Fails because Root CA Certs Out of Date
- Is bsd-compatible-realpath.patch still necessary? HOT 1
- Duo Tester HOT 1
- make readme fails HOT 1
- ARM64 docker image of releases HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bastion.