Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Let user handle keyboard-interactive events #192

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

MattCatz
Copy link

Keyboard-interactive events can have multiple steps. Tweak the existing kbd_callback to massage prompts into a format that an end user can handle from python.

New public method userauth_keyboardinteractive_callback added to the session class to maintain backwards compatibility. See new example script for usage.

I didn't add any new test case since I'm not really sure how it would fit into the existing set-up. To test locally I set spun up a ssh server inside a docker container1 and pointed the example script at it. Below is an example command I used:

OTP=$(oathtool --totp -d 6 12345678909876543210)
python ./examples/keyboard_interactive_auth.py --host 127.0.0.1 --port 2022 -u sshuser $OTP 552099 hostname
Example Dockerfile

SSH server with MFA

FROM debian:latest

RUN apt-get update && apt-get install -y \
  openssh-server \
  libpam-oath \
  oathtool \
  && rm -rf /var/lib/apt/lists/*

RUN groupadd sshgroup
RUN useradd -ms /bin/bash -g sshgroup -p '$1$sshuser$TCmWDAEGpJ.Z.Sj/NN02I.' sshuser

RUN echo 'HOTP/T30/6 sshuser - 12345678909876543210' > /etc/users.oath 
RUN chmod 600 /etc/users.oath
RUN echo 'auth	  required pam_oath.so usersfile=/etc/users.oath window=30 digits=6' >> /etc/pam.d/sshd
run cat /etc/pam.d/sshd


RUN echo 'ChallengeResponseAuthentication yes \nKbdInteractiveAuthentication yes\n' >> /etc/ssh/sshd_config.d/otp.conf
RUN service ssh start
EXPOSE 22
CMD ["/usr/sbin/sshd","-D"]

Footnotes

Keyboard-interactive events can have multiple steps. Tweak the existing
`kbd_callback` to massage prompts into a format that an end user can
handle from python.

New public method `userauth_keyboardinteractive_callback` added to the session
class to maintain backwards compatibility. See new example script for usage.
@MattCatz MattCatz requested a review from pkittenis as a code owner September 21, 2023 03:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant