Hi Alan, Unfortunately, we’d need a lot more information in this report (and possibly a test server) to see what is happening conclusively. I suspect the client application, not the library, needs to be updated to handle the waterfall behavior of 2FA/keyboard interactive in the same way as OpenSSH for maximum capability. In the applications I develop we fully support 2FA but the waterfall is fairly complicated to maintain compatibility with OpenSSH.
Cheers, Will > On May 20, 2019, at 10:35 AM, Alan Nichols <alan.nich...@ni.com> wrote: > > Hello libssh developers, > > I recently ran into an obscure problem when using libssh2 to interact with an > openssh client. In resolving the issue, the support staff for the client > informed me that “libssh2's implementation of keyboard-interactive logins > does not work properly when compared to the way openssh client handles > keyboard-interactive.” The support staff implemented a workaround, which > they explained to me as follows: > > “In order to implement 2FA (two factor auth), sshd_config was configured to > use publickey and keyboard-interactive > as the authentication methods with ChallengeRepsonseAuthentication enabled. > sshd the publickey part, then passes the remaining authentication logic to > PAM (keyboard-interactive). > PAM for sshd is configured to use google-authenticator if it has been > configured for the user. > > libssh2 does not properly implement keyboard-interactive which is what was > causing your failures. > To work around this, sshd config was reverted to the original config of using > just publickey auth.” > > This is fine with me and everything is working as I’d expect. However, I may > in the future run up against customers who have a similar problem on their > own systems and whose admins may be restricted by company policy from making > similar changes to the config files. A better solution would be to have > better 2-factor authentication compatibility between libssh2 and openssh. > > Can you comment on this? Do you expect this compatibility problem to be > resolved in the future and if so, when? > > Many thanks, > > Alan Nichols > Development Engineer > AWR Group, National Instruments > 1017 W. Glen Oaks Lane, Suite 106 > Mequon, WI 53092 > P: 1.262.241.2383 > F: 1.262.240.0294 > E: alan.nich...@ni.com <mailto:alan.nich...@ni.com> > http://www.ni.com/awr <http://www.ni.com/awr> > > > _______________________________________________ > libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel > <https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel>
_______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
