Cyberduck Mountain Duck CLI

#10125 closed defect (fixed)

2-factor authentication not working after update

Reported by: jonas_lindemann Owned by: dkocher
Priority: high Milestone: 6.3.1
Component: sftp Version: 6.2.11
Severity: normal Keywords: sftp, keyboard-interactive
Cc: Architecture:
Platform:

Description

We are using keyboard interactive 2-factor authentication with Cyberduck and SFTP. We had problems before CD-2911. This was fixed and was working with 6.1.0 (25371). Latest version 6.2.11 (26765) it has stopped working.

-- Jonas

Change History (14)

comment:1 Changed on Nov 8, 2017 at 4:08:41 PM by dkocher

  • Milestone set to 6.3
  • Owner set to dkocher
  • Status changed from new to assigned

comment:2 Changed on Nov 8, 2017 at 4:09:48 PM by dkocher

  • Resolution set to fixed
  • Status changed from assigned to closed

In r43241. Please update to the latest snapshot build available.

comment:3 Changed on Nov 21, 2017 at 1:33:30 PM by jonas_lindemann

  • Resolution fixed deleted
  • Status changed from closed to reopened

Version 6.3.1 (27114) our OTP-authentication does not work in this version either. Our system is based on SSH keyboard-interactive prompts from a pam_radius module asking for an OTP-prompt.

-- Jonas

comment:4 Changed on Nov 21, 2017 at 3:21:04 PM by dkocher

Can you confirm that your server does use no password authentication but only keyboard-interactive for both password and OTP.

comment:5 Changed on Nov 21, 2017 at 3:27:07 PM by jonas_lindemann

I ran ssh -v to our server, which gave the following log:

debug1: Next authentication method: keyboard-interactive
Password:
Enter your Pocket Pass OTP: 471410
debug1: Authentication succeeded (keyboard-interactive).

This should indicate that keyboard-interactive is used for both.

Thanks in advance!

Jonas Lindemann

Last edited on Nov 21, 2017 at 3:29:08 PM by dkocher (previous) (diff)

comment:6 Changed on Nov 21, 2017 at 3:30:03 PM by dkocher

 Thanks! That is helpful. We have a regular expression match that we default to the user password per default for .*[pP]assword:\s?\z which is why the password is sent instead of the token.

Last edited on Nov 21, 2017 at 3:30:41 PM by dkocher (previous) (diff)

comment:7 Changed on Nov 21, 2017 at 4:03:09 PM by dkocher

Possible fix in r43404. Please update to the latest snapshot build.

comment:8 Changed on Nov 21, 2017 at 4:03:19 PM by dkocher

  • Milestone changed from 6.3 to 7.0

comment:9 Changed on Nov 21, 2017 at 4:21:47 PM by dkocher

  • Resolution set to fixed
  • Status changed from reopened to closed

Please let me know if the latest build resolves the issue.

comment:10 Changed on Nov 21, 2017 at 8:40:15 PM by dkocher

  • Milestone changed from 7.0 to 6.3.1

comment:11 Changed on Nov 22, 2017 at 12:15:28 PM by jonas_lindemann

Unfortunately it doesn't work. However, I get the OTP-prompt, but the login still fails and I get a repeated OTP-prompt.

-- Jonas

comment:12 Changed on Nov 22, 2017 at 12:38:42 PM by dkocher

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:13 Changed on Nov 22, 2017 at 12:59:56 PM by dkocher

We have again refactored the login flow for SFTP authentication methods in r43439. If you could please update to the latest snapshot build 27155 available and test that would be much appreciated.

comment:14 Changed on Nov 22, 2017 at 9:37:59 PM by dkocher

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.
swiss made software