guacamole-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Cantle (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (GUACAMOLE-141) Complete support for keyboard interactive authentication
Date Fri, 03 Feb 2017 12:56:51 GMT

    [ https://issues.apache.org/jira/browse/GUACAMOLE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15851457#comment-15851457
] 

Paul Cantle commented on GUACAMOLE-141:
---------------------------------------

I realise this isn't the "perfect" solution, but you could use the 2FA on the web server URL
itself. I know that this would require then turning 2FA off for users who may well be accessing
systems via another method (i.e onsite using PuTTY, etc). or, you could do something like
this...

What I have done is  create a generic user in AD that has SSH access permissions to a server
(but with no elevated privilege), In the .bash_profile of that user, trap the ability to ctrl
+c and then execute an ssh properuser@localhost (where properuser is the normal user who would
log in and get prompted for 2FA).

This works for me and offers a solution to still use 2FA. 

As I said though, it's just a work-around...

> Complete support for keyboard interactive authentication
> --------------------------------------------------------
>
>                 Key: GUACAMOLE-141
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-141
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: SSH
>    Affects Versions: 0.9.9, 0.9.10-incubating
>         Environment: guacamole: all
> SSH server: google-authenticator-libpam 1.03
>            Reporter: Roleo Hibachi
>            Priority: Minor
>              Labels: features, security
>
> SSH servers using two-factor or two-step authentication generally require multiple keyboard-interactive
prompts. An example is the google-authenticator-libpam PAM module; others exist as well. Although
Guacamole supports keyboard-interactive password authentication for SSH, only the first prompt
is handled (which is assumed to be the prompt for a password).
> Full support for keyboard interactive must be added for two factor SSH authentication
to work.
> This had been successfully patched previously (GUAC-836 in the old JIRA, circa version
0.9.2), but the patch was not implemented in the master branch, and so was not maintained.
Using the patch on 0.9.10-incubating or 0.9.9 results in no change in functionality. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message