Keyboard-interactive events can have multiple steps. Tweak the existing kbd_callback to massage prompts into a format that an end user can handle from python.
New public method userauth_keyboardinteractive_callback added to the session class to maintain backwards compatibility. See new example script for usage.
I didn't add any new test case since I'm not really sure how it would fit into the existing set-up. To test locally I set spun up a ssh server inside a docker container[^1] and pointed the example script at it. Below is an example command I used:
Keyboard-interactive events can have multiple steps. Tweak the existing
kbd_callback
to massage prompts into a format that an end user can handle from python.New public method
userauth_keyboardinteractive_callback
added to the session class to maintain backwards compatibility. See new example script for usage.I didn't add any new test case since I'm not really sure how it would fit into the existing set-up. To test locally I set spun up a ssh server inside a docker container[^1] and pointed the example script at it. Below is an example command I used:
[^1]:
Example Dockerfile
## SSH server with MFA ``` FROM debian:latest RUN apt-get update && apt-get install -y \ openssh-server \ libpam-oath \ oathtool \ && rm -rf /var/lib/apt/lists/* RUN groupadd sshgroup RUN useradd -ms /bin/bash -g sshgroup -p '$1$sshuser$TCmWDAEGpJ.Z.Sj/NN02I.' sshuser RUN echo 'HOTP/T30/6 sshuser - 12345678909876543210' > /etc/users.oath RUN chmod 600 /etc/users.oath RUN echo 'auth required pam_oath.so usersfile=/etc/users.oath window=30 digits=6' >> /etc/pam.d/sshd run cat /etc/pam.d/sshd RUN echo 'ChallengeResponseAuthentication yes \nKbdInteractiveAuthentication yes\n' >> /etc/ssh/sshd_config.d/otp.conf RUN service ssh start EXPOSE 22 CMD ["/usr/sbin/sshd","-D"] ```