2 factor authentication

[pyNetz]

I have an environment that requires a username and a passcode (pin+8 digit rsa Tokencode) when SSHing into network devices. Am I out of luck for automating large scale network tasks to thousands of devices?

[ktbyers]

Someone would have to create a solution for this and submit a PR on it. I am totally open to it, but I don't have a way to test it, and it is probably not something I am going to work on in the near future.

[ktbyers]

This would be good to have if someone wants to work on it.

[yoonghm]

Is there a simulator that provides two factor authentication?

On Thu, 27 Dec 2018, 09:49 Kirk Byers <notifications@github.com wrote:

This would be good to have if someone wants to work on it.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ktbyers/netmiko/issues/1040#issuecomment-450053617, or mute the thread https://github.com/notifications/unsubscribe-auth/AEBUtzmiI3OuZPL9Iqdc1BlaRC9yx6TAks5u9Cc-gaJpZM4Zc4kX .

[Muadiv]

I did something like that already, and the solution is not the best but works, use Autohotkey to call rsa and take the password from there.

Here the code that I use:

1) AutoHotKey:

;; RSA Token Automation.ahk
;; # autohotkey.exe
;; # Ref: http://www.autohotkey.com/board/topic/59612-simple-debug-console-output/

;; RSA
Run, "C:\Program Files (x86)\RSA SecurID Software Token\SecurID.exe"
WinWait, (Here number of your RSA window) - RSA SecurID Token, 
IfWinNotActive, (Here number of your RSA window)- RSA SecurID Token, , WinActivate, (Here number of your RSA window)- RSA SecurID Token, 
WinWaitActive, (Here number of your RSA window)- RSA SecurID Token, 
Send, (Your Key here)
Sleep, 100
Send, {ENTER}
Sleep, 100
;;Send, {CTRLDOWN}c{CTRLUP}

Send, ^c
Sleep, 100
X := clipboard

Send, {ALTDOWN}{F4}{ALTUP}

return 

And this is the code that I used on my python file to call that and grab the key:

import win32clipboard
import subprocess

def get_rsa_token():
    subprocess.Popen("ssas.ahk", shell=True,
                     stdout=subprocess.PIPE).communicate()[0].strip()
    win32clipboard.OpenClipboard()
    data = win32clipboard.GetClipboardData()
    win32clipboard.CloseClipboard()
    return data

Then, I know that is not the best solution, but is the only way that I found a solution to get RSA with Python. :smile:

[conradmcha]

You forgot : import subprocess in that

[maheshkudva]

I have the same exact issue and have been using AutoHotKey as mentioned above. However as Muadiv mentioned, its best when used for single user. Large scale deployments is something for which an alternative is needed

[ktbyers]

Definitely open to solutions, but it will need to be driven by the community.

[conradmcha]

I'm wondering if there is a module for rsa where we could import the RSA token, and then just import the password so we could use the generated key to login. Do any of you know if there is such a thing?

[Muadiv]

I'm wondering if there is a module for rsa where we could import the RSA token, and then just import the password so we could use the generated key to login. Do any of you know if there is such a thing?

From what I researched, there is not any module to do that, that's why this is the only way that I found to do this process. Also there is a guy that did some similar but with a hardtoken, with a camera and recognition software... even more crazy... You can investigate a little bit here https://community.rsa.com/docs/DOC-75741 but I think that is not exactly what we are looking for.

[paulcfyiu]

Actually with the help with stoken https://github.com/cernekee/stoken you can use your rsa.sdtid to pre-generate 60+ 120+ etc token code for your pre run time program. Your pin+rsakey is piece of cake to get ahead of time

I have not yet begin to look at netmiko in code level, just wondering any one successfully to use netmiko to auth with passcode yet? I am going to spending time to tackle this for, hopefully anyone can collaborate would be wonderful

[paulcfyiu]

Guy, I had spent time to code in expect + sh + jumphost... I am able to get my ansible box connect through jump host(2fa) with RSA secureid to all network devices (also 2fa) XD it is possible

[Muadiv]

Hey @paulcfyiu , could you explain how ? or show the code :)

[paulcfyiu]

Muadiv I can share the concept and approach I had taken. SecureID OTP will valid for certain time my case is around 10 mins. Stoken allow you to collect your tokencode, I have coded a stack to store 10mins valid tokens.

I had coded sh script like a "ansible-playbook wrapper" program will fetch token code from stack, pass it to expect script made initial connection to 2FA jumphost which will run in background. Then similarly get token codes from stack before calling ansible-playbook to run task. Finally to clean up all ssh connection on script exit.

Reason to run expect script before ansible playbook, it will use native SSH config to establish connection to your jumphost create the controlpath before ansible-playbook run. Expect script is best to handle returned prompt as system passcode prompt is commonly different. This handles without messing with ansible code

The outcome of this is quite stabled from previous few days of testing.

[ktbyers]

I am going to close this, should re-open a new issue if anyone implements a two-factor feature in Netmiko.

[jinjamator]

Hi, FYI I implemented a hackish google-authenticator "driver" for netmiko. https://github.com/jinjamator/netmiko_2fa_google_authenticator which also can be used with https://github.com/jinjamator/netmiko_multihop

[ktbyers]

@jinjamator Hmmm, I wonder if we could make a general solution in Netmiko that could be more easily shared. I guess first step is to figure out how to test it.

[jinjamator]

@ktbyers All customer setups I'm aware of are just asking for a second Password with another prompt, so 2FA is straight forward to implement. A ssh server for testing could use libpam-google-authenticator which is pretty simple to setup. See https://ubuntu.com/tutorials/configure-ssh-2fa#2-installing-and-configuring-required-packages . My "driver" also uses automatic generation for the otp.

[ktbyers]

Okay, this would be cool/nice to implement. I will see where I am at after I finish the current main project I am working on and see if I can make some time for it.