Re: tramp (2.6.0-pre master/b30b33ed9b3cdacecebef73ad1131f03c635de7a); tramp over MFA/totp

[Michael Albinus]

Randy Yates  writes:

> Michael,

Hi Randy,

> Thank you. The patch worked perfectly.

Thanks for the feedback. I've pushed the patch, slightly changed and
added documentation, to the repositories. Will appear with Emacs
29.2. Will also be part of the next GNU ELPA Tramp release, scheduled
later this month.

> –Randy

Best regards, Michael.

Re: tramp (2.6.0-pre master/b30b33ed9b3cdacecebef73ad1131f03c635de7a); tramp over MFA/totp

[Michael Albinus]

Randy Yates  writes:

Hi Randy,

> My organization has recently enabled MFA/totp over ssh on all our linux
> systems. We are using JumpCloud and it was apparently configured by
> JumpCloud automatically when they turned MFA on.
>
> I am able to ssh from one linux box (ubuntu 18.04) to another using the
> command-line ssh (openssh). The transaction looks like this:
>
> @Lubuntu-22259:/$ ssh -YC @
> Password:
> Verification code: 

[...]

> I found that when I use tramp, it prompts me for the password as usual,
> but after entering the correct password, it prompts me again for the
> password instead of the verification code.

[...]

> Finally, note that before these security updates, tramp was working
> fine. I am using emacs version
>
> GNU Emacs 29.0.50 (build 2, x86_64-pc-linux-gnu, GTK+ Version 
> 3.22.30, cairo version 1.15.10) of 2022-06-16.
>
> Is it possible to update tramp so that it operates correctly with this
> configuration?

Well, my first reaction was to ask you to add the "verification code"
prompt to password-word-equivalents. This is what Tramp uses for
password prompts.

However, one-time passwords are different. So I've assembled the
appended patch, could you pls test? It is on top of the emacs-29 branch
in git, I hope it applies to your more-than-a-year-old Emacs 29
version. If not, you could install the recent Tramp 2.6.1.2 from GNU
ELPA, and apply the patch on this. Note that there is a problem in
installing Tramp from GNU ELPA with Emacs 29.1, see
.

> Thanks for your help, and let me know if there is anything else you
> need.
>
> Randy Yates

Best regards, Michael.

diff --git a/lisp/tramp-sh.el b/lisp/tramp-sh.el
index 5a1e73aa..59d5c005 100644
--- a/lisp/tramp-sh.el
+++ b/lisp/tramp-sh.el
@@ -535,6 +535,7 @@ shell from reading its init file."
 (defconst tramp-actions-before-shell
   '((tramp-login-prompt-regexp tramp-action-login)
 (tramp-password-prompt-regexp tramp-action-password)
+(tramp-otp-password-prompt-regexp tramp-action-otp-password)
 (tramp-wrong-passwd-regexp tramp-action-permission-denied)
 (shell-prompt-pattern tramp-action-succeed)
 (tramp-shell-prompt-pattern tramp-action-succeed)
@@ -558,6 +559,7 @@ corresponding PATTERN matches, the ACTION function is called.")
 
 (defconst tramp-actions-copy-out-of-band
   '((tramp-password-prompt-regexp tramp-action-password)
+(tramp-otp-password-prompt-regexp tramp-action-otp-password)
 (tramp-wrong-passwd-regexp tramp-action-permission-denied)
 (tramp-copy-failed-regexp tramp-action-permission-denied)
 (tramp-security-key-confirm-regexp tramp-action-show-and-confirm-message)
diff --git a/lisp/tramp.el b/lisp/tramp.el
index d10f93b3..83610193 100644
--- a/lisp/tramp.el
+++ b/lisp/tramp.el
@@ -679,6 +679,17 @@ The `sudo' program appears to insert a `^@' character into the prompt."
   :version "29.1"
   :type 'regexp)
 
+(defcustom tramp-otp-password-prompt-regexp
+  (tramp-compat-rx
+   bol (* nonl)
+   ;; JumpCloud.
+   (group (| "Verification code"))
+   (* nonl) (any ":：៖") (* blank))
+  "Regexp matching one-time password prompts.
+The regexp should match at end of buffer."
+  :version "29.2"
+  :type 'regexp)
+
 (defcustom tramp-wrong-passwd-regexp
   (rx bol (* nonl)
   (| "Permission denied"
@@ -5538,6 +5549,25 @@ of."
   (narrow-to-region (point-max) (point-max
   t)
 
+(defun tramp-action-otp-password (proc vec)
+  "Query the user for a one-time password."
+  (with-current-buffer (process-buffer proc)
+(let ((case-fold-search t)
+	  prompt)
+  (goto-char (point-min))
+  (tramp-check-for-regexp proc tramp-process-action-regexp)
+  (setq prompt (concat (match-string 1) " "))
+  (tramp-message vec 3 "Sending %s" (match-string 1))
+  ;; We don't call `tramp-send-string' in order to hide the
+  ;; password from the debug buffer and the traces.
+  (process-send-string
+   proc
+   (concat
+	(tramp-read-passwd-without-cache proc prompt) tramp-local-end-of-line))
+  ;; Hide password prompt.
+  (narrow-to-region (point-max) (point-max
+  t)
+
 (defun tramp-action-succeed (_proc _vec)
   "Signal success in finding shell prompt."
   (throw 'tramp-action 'ok))

tramp (2.6.0-pre master/b30b33ed9b3cdacecebef73ad1131f03c635de7a); tramp over MFA/totp

[Randy Yates]

My organization has recently enabled MFA/totp over ssh on all our linux
systems. We are using JumpCloud and it was apparently configured by
JumpCloud automatically when they turned MFA on.

I am able to ssh from one linux box (ubuntu 18.04) to another using the
command-line ssh (openssh). The transaction looks like this:

@Lubuntu-22259:/$ ssh -YC @
Password:
Verification code: 

Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-213-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support:https://ubuntu.com/advantage

Expanded Security Maintenance for Infrastructure is not enabled.

2 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

154 additional security updates can be applied with ESM Infra.
Learn more about enabling ESM Infra service for Ubuntu 18.04 at
https://ubuntu.com/18-04

Last login: Tue Sep  5 11:35:47 2023 from 192.168.1.100
@Lubuntu-25316:~$

I found that when I use tramp, it prompts me for the password as usual,
but after entering the correct password, it prompts me again for the
password instead of the verification code.

This is the original :

#   $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in 
/etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues 
with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner