marji
commented
6 years ago @osterman IMHO, this issue is not a question as you labelled it, but rather a "bug" - easy to replicate, as per my instructions above.
Closed marji closed 5 years ago
marji
commented
6 years ago @osterman IMHO, this issue is not a question as you labelled it, but rather a "bug" - easy to replicate, as per my instructions above.
osterman
commented
6 years ago @marji I suspect it could be related to the motd message. Since scp is a binary protocol, the output from the motd could be messing with it. Can you try disabling that, or exploring that vane to see how far it gets you?
osterman
commented
6 years ago The motd I am referring to is:
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored for any reason.Btw, you're invited to join our slack team here: https://slack.cloudposse.com where you'll get direct access to me and the team.
osterman
commented
6 years ago On further reflection, this will not work with Google Authenticator. SFTP is a non-interactive protocol. It’s implemented on top of SSH. MFA prompts are not an official spec and there is no standard. Thus no standard way for clients to handle it. It you use more advanced client like like cyberduck, maybe it will work.
That said, SCP will work with non-interactive push notifications which is the way we used it. This is supported by duo. Duo is a much, much better approach. It also supports geofencing and a multitude of other security enhancements, plus the totp seed is not stored on the server. The totp seed will let anyone guess the sequence if compromised.
osterman
commented
6 years ago @marji I'm going to close this issue. Please re-open if you can find any new information that indicates Google Authenticator is compatible with scp.
marji
commented
5 years ago @osterman I tracked the problem with sftp not working with google-authenticator to this standard output terminal condition in /rootfs/usr/bin/setup-google-authenticator.
While debugging this, I realised this condition is also breaking execution of ssh connections with remote command specified:
ssh root@localhost -p 1234 'echo hello'
Verification code:
MFA setup requiredWhen I compile the docker image without this condition, my problem is gone, sftp works. Could you please remove it or adjust it to let sftp and ssh with remote command pass through?
osterman
commented
5 years ago @marji - aha, I see! yes, this seems like it could be easily fixed.
osterman
commented
5 years ago @marji please give it another shot. We moved the conditional inside the block to check if it's been previously initialized. If you want to disable MFA altogether for scp, I don't recommend it - but if you want to open a PR for it, we can consider it.
marji
commented
5 years ago @osterman I'm happy to confirm the above change has fixed the problem. I can now successfully sftp in and I can also execute a remote command via ssh - getting the "Verification code" prompt and when I answer it, I'm in.
Thank you guys for fixing this.
osterman
commented
5 years ago Thanks @marji for letting us know! Happy we got this working. =)
I noticed sftp to the bastion container (with google authenticator selected as the MFA) does not work:
Provision a fresh bastion instance:
Initialise with the first login. Then ssh into the container again, works fine:
But SFTP stops with an error:
I'm not sure where to look. Perhaps the sshd config? If you give me a little hint, I'm happy to debug more.