There are so many prompts outside that we cannot include them all.
AFAIK there's generic support for unknown prompts that pops up a
window showing you the prompt (or generally spoken: the output as
received from the remote side) and letting you enter the matching
response. I am not sure when this comes up and how to trigger it. I
have seen it a few times when testing with a custom MFA at a customer
but I never managed to successfully use it. I don't know why. Maybe
some research is required here.
I would suggest to test this mechanism and make it somehow
configurable. We could e.g. add a configuration item where you can
specify the expected prompt and how to respond to it. Maybe also offer
a global configuration where you can hold the expected prompts for
multiple MFAs so you do not have to configure that on a per-connection
basis.
Uli
On Sat, Aug 26, 2023 at 1:59 AM Orion Poplawski <or...@nwra.com> wrote:
>
> On 8/23/23 12:22, Grigory Shamov wrote:
> > Hi Stefan,
> >
> > Thank you very much for your response! Yes, it looks like our SSH server
> > "interactive" response for Yubikey/Duo is not being recognized by the
> > current X2Go clients.
> > The kind of response that looks like this:
> >
> > ====
> > (user@host) Duo two-factor login for user:
> >
> > Enter a passcode or select one of the following options:
> >
> > Passcode:
> > ====
> >
> > We are running an HPC machine here, with user authentication coming from a
> > National-wide HPC organization, that chose Duo for MFA. We cannot easily
> > just pick a random 2nd factor vendor.
> >
> > The related common SSH/SFTP/SCP GUI clients like PuTTY and and MobaXterm
> > and FileZilla do not seem to have this issue, at least in recent versions.
> > (I just had a user that out of exasperation tried to run X2go over an SSH
> > client created by Putty which is of course impossible) .
> >
>
> I think the main difference between x2goclient and at least putty is
> that x2goclient is managing the ssh interaction and feeding the prompts
> as needed. putty is simply presenting the prompts to the user and
> allowing them to interact with them. I'm not sure x2goclient has any
> other way to know that the connection is waiting for more authentication
> input.
>
> x2go client has the following known prompts:
>
> const QString SshMasterConnection::challenge_auth_code_prompts_[] = {
> "Verification code:", // GA
> (http://github.com/google/google-authenticator)
> "One-time password (OATH) for", // OATH
> (http://www.nongnu.org/oath-toolkit/pam_oath.html)
> "passcode:", // MOTP (http://motp.sourceforge.net)
> "Enter PASSCODE:", // SecurID
> "YubiKey for" // YubiKey
> (https://en.wikipedia.org/wiki/YubiKey)
> };
>
> which is close. We could either add "Passcode:" for Duo, or make the
> comparison case insensitive.
>
> --
> Orion Poplawski
> he/him/his - surely the least important thing about me
> IT Systems Manager 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane or...@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
>
> _______________________________________________
> x2go-user mailing list
> x2go-user@lists.x2go.org
> https://lists.x2go.org/listinfo/x2go-user
_______________________________________________
x2go-user mailing list
x2go-user@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user
