Unable to SSH to a server with key + password + TOTP

[atb00ker]

Explain what happens

Hi,

I have a server named "s10".

Here is the .ssh/config block for it:

Host s10
  Port 1000
  IdentityFile ~/.ssh/s10
  ControlMaster auto
  ControlPath ~/.ssh/socket/%h.socket
  ControlPersist 1m

I can ssh into it, as followed:

ssh awesome@s10

Enter SSH key password Enter user (awesome) password Enter TOTP code

---

I installed cockpit on this server and host and tried to connect to the s10 server but I keep getting error: Unable to log in to s10. The host does not accept password login or any of your SSH keys.

Meanwhile, in the websocket traffic, I see ssh-key XXX <- correct key with correct name; so I think the key was provided to cockpit-ssh BUT at some steps things failed. I don't see anything on sudo journalctl --since -10m | grep cockpit either.

If I'm doing something stoopid, please let me know; but so far it seems identity file & password authentication together are not supported?

Also, even if I can use ~/.ssh/socket/%h.socket file and connect without auth that'll solve the problem for me, so anyway to use that socket directly to bypass all auth on cockpit?

Version of Cockpit

287.1

Where is the problem in Cockpit?

Unknown or not applicable

Server operating system

Debian

Server operating system version

12

What browsers are you using?

Firefox

[jelly]

I'm a bit confused by your PAM/SSH configuration on the server it uses an ssh key and user password + totp?

I'd expect a key + totp, if so what totp plugin is used?

[atb00ker]

Yes, the PAM configurations are a little odd for sure. First an RSA key authentication happens. On success, login password is required. On success, totp is required. Then the user gets access.

"google-authenticator" for totp is used: https://packages.debian.org/bullseye/libpam-google-authenticator