[jira] [Commented] (GUACAMOLE-141) Complete support for keyboard interactive authentication

Fri, 03 Feb 2017 04:57:20 -0800 

    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15851457#comment-15851457
 ] 

Paul Cantle commented on GUACAMOLE-141:
---------------------------------------

I realise this isn't the "perfect" solution, but you could use the 2FA on the 
web server URL itself. I know that this would require then turning 2FA off for 
users who may well be accessing systems via another method (i.e onsite using 
PuTTY, etc). or, you could do something like this...

What I have done is  create a generic user in AD that has SSH access 
permissions to a server (but with no elevated privilege), In the .bash_profile 
of that user, trap the ability to ctrl +c and then execute an ssh 
properuser@localhost (where properuser is the normal user who would log in and 
get prompted for 2FA).

This works for me and offers a solution to still use 2FA. 

As I said though, it's just a work-around...

> Complete support for keyboard interactive authentication
> --------------------------------------------------------
>
>                 Key: GUACAMOLE-141
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-141
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: SSH
>    Affects Versions: 0.9.9, 0.9.10-incubating
>         Environment: guacamole: all
> SSH server: google-authenticator-libpam 1.03
>            Reporter: Roleo Hibachi
>            Priority: Minor
>              Labels: features, security
>
> SSH servers using two-factor or two-step authentication generally require 
> multiple keyboard-interactive prompts. An example is the 
> google-authenticator-libpam PAM module; others exist as well. Although 
> Guacamole supports keyboard-interactive password authentication for SSH, only 
> the first prompt is handled (which is assumed to be the prompt for a 
> password).
> Full support for keyboard interactive must be added for two factor SSH 
> authentication to work.
> This had been successfully patched previously (GUAC-836 in the old JIRA, 
> circa version 0.9.2), but the patch was not implemented in the master branch, 
> and so was not maintained. Using the patch on 0.9.10-incubating or 0.9.9 
> results in no change in functionality. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to