MFA ("keyboard-interactive") not working with version 1.9

[billborsari]

I recently set up Google's 2FA system on my local Linux system and found I'm not able to log in using SSHterm with MFA enabled. I've been looking at the source to understand why and think I found the issue.

The auth method is called "keyboard-interactive"

This method happens as part of the initialization process via a callback.

In the sample source, the kbd_callback function creates a prompt to gather the token and sends the token to the server:

static void kbd_callback(const char *name, int name_len,
const char *instruction, int instruction_len,
int num_prompts,
const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,
LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses,
void **abstract)
{
...
responses[0].text = strdup(password);
responses[0].length = (unsigned int)strlen(password);
...
}

In SSHTerm 1.9, this function is implemented but has two issues:
A) It cannot collect the MFA token
B) The ability to send it to the server.

For A, the existing request_password() can collect the data. For B, I have not figured out how to send that data to the server to complete the login process.

Here is the process to enable Google 2FA on an Ubuntu server for reference: https://ubuntu.com/tutorials/configure-ssh-2fa#1-overview

[salass00]

I've personally only used private/public key authentication with SSH so the other methods are untested by me. However I did a comparison with the the latest version of the libssh2 sftp example code and it looks like I've misunderstood how the keyboard interactive callback function is supposed to work and so I've rewritten it so that it calls request_password() for each of the prompts provided and puts the responses into the array (see commit 40312ec).

If you are able to compile SSHTerm from code can you do so to test and report if it works better after these changes. If not I can upload and give you a link to an updated binary.

[billborsari]

No problem. I'll build and test soon and let you know how it goes.

[billborsari]

Thank you for the quick turnaround. I ran it and did not understand at first that with keyboard interactive, I needed to use my password first and not the token. Once I figured that out, it worked!

[billborsari]

One thing I noticed is the stage report for this new function is not progressing. I.E. it always shows 0/1 and not 1/1 for the second phase:

                            case AUTH_KEYBOARD_INTERACTIVE:
                                    vsnprintf(bodytext, sizeof(bodytext), "Prompt %d/%d from server: '%s'", ap);
                                    break;