User Erik Hill has managed to get 2 factor authentication to work using OpenSSH and Jump Desktop. He has generously agreed to share the solution:
I changed my /etc/pam.d/sshd from whatever it was to this:
—— BEGIN CUT-N-PASTE ——
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so no_warn use_first_pass authtok_prompt=Password:
account required pam_unix.so audit
account required pam_permit.so
—— END CUT-N-PASTE ——
… and of course backed up my old /etc/pam/sshd first.
I now have two-factor working fine with Jump Desktop! The “foward_pass” forwards the password portion (not the two-factor part) to the next auth, which is pam_unix, so that just takes your password. The “authtok_prompt” was an early experiment where I was testing the hypothesis that Jump Desktop was confused by the different ssh prompt, now I’m convinced that that is not the case. Linux ignores the authtok_prompt anyway.
All one needs to to do is set the Password field in the SSH tunnel configuration in Jump to “Ask”. Then when Jump asks for your password, you enter it and add the (in my case) 6-digit two-factor code right at the end, with no spaces or anything else between them.
Comments
1 comment
This is a solution only for those who both can and are willing to change the sshd PAM settings for the host they want to connect to. Not everybody has that chance or will. It would be much better for JD to properly support 2FA, that is issuing the relevant prompt.
Please sign in to leave a comment.