Jump Host - Two Factor Authentication

Notes, tips, and other usefull things on how to use LogMX

Moderator: admin

Post Reply
pattersonmm
Posts: 1
Joined: Thu Aug 22, 2019 7:28 pm

Jump Host - Two Factor Authentication

Post by pattersonmm » Thu Aug 22, 2019 7:35 pm

Hello,
I was wondering if there is currently any support or planned support for two factor authentication (SecurID RSA Token and Password) when using a jump host to connect to an intermediate server? I am receiving a password prompt only when trying to connect to the jump server. The connection then fails as the securid RSA token was not entered.

admin
Site Admin
Posts: 507
Joined: Sun Dec 17, 2006 10:30 pm

Re: Jump Host - Two Factor Authentication

Post by admin » Fri Aug 23, 2019 3:22 am

Hello,

To be honest, I had never heard of an SSH session opened using a physical RSA token, until today. So I looked it up. According to https://www.ssh.com/manuals/clientserve ... curid.html (Tectia, pretty famous), such 2FA is implemented using the SSH Authentication method named "keyboard-interactive" which is supported by LogMX. It also says that the goal was to be compatible with current SSH clients. So at first I thought it should be fine, but then I came across https://help.globalscape.com/help/archi ... ecurid.htm which explains that some clients are not compatible and will fail because they don't expect the "keyboard-interactive" method ON TOP of the "password" method (it's usually ONLY ONE of "keyboard-interactive" , "password" , "publickey").

So between the last article and the fact that you mentioned that you are "receiving a password prompt only when trying to connect to the jump server. The connection then fails as the securID RSA token was not entered" makes me think that LogMX doesn't support it because you have to provide a password AND a token through "keyboard-interactive".

Since I'm not able to test it on my side, you can check the LogMX SSH logs in <YourHomeDirectory>/LogMX*.log* (if you don't have any log file there, you can check the logs config file "<LogMXHomeDir>/config/logging.properties"). In LogMX logs, you should see something like:

Code: Select all

22/08/19 23:21:28.022 [INFO] (com.lightysoft.logmx.SSH) <LogMX_LoadThread> Authentications that can continue: publickey,keyboard-interactive,password
22/08/19 23:21:28.022 [INFO] (com.lightysoft.logmx.SSH) <LogMX_LoadThread> Next authentication method: publickey
22/08/19 23:21:28.032 [INFO] (com.lightysoft.logmx.SSH) <LogMX_LoadThread> Authentication succeeded (publickey)
or something like:

Code: Select all

22/08/19 23:16:13.352 [INFO] (com.lightysoft.logmx.SSH) <LogMX_LoadThread> Authentications that can continue: password
22/08/19 23:16:13.352 [INFO] (com.lightysoft.logmx.SSH) <LogMX_LoadThread> Next authentication method: password
22/08/19 23:16:13.402 [INFO] (com.lightysoft.logmx.SSH) <LogMX_LoadThread> Authentication succeeded (password)
Let me know what you can see in your logs. If it's confirmed that LogMX needs to send a password and a token code, then we could try to see if we can implement this. The tricky part would be for us to have an SSH server requiring these 2 codes, in order to test it... if you have any ideas...

Xavier

Post Reply