Forum / Remote Desktop Manager Mac - Support

inline multi-factor auth of SSH tunnels?

  • Create an Issue
  • Cancel

So we're looking at using RDM with RDP via SSH tunnel. However the SSH utilizes 2-factor authentication, prompting for an RSA token code.

Are there any problems with this and RDM? Best practices, etc?

Clock2 yrs

Hi Jo,

I have a vague memory of having tested the SSH Shell session with 2FA (I think it might have been Duo). I'd like to say I'm sure it will work without issue, but the simple truth is that I don't know. SSH servers can be tricky sometimes and this could very well not be the case with your servers.

I'd say testing is the best way to make sure of it. If it doesn't work, report it as a bug and we'll address this as soon as possible.

Best regards,

Xavier Fortin

signaturesignature

Clock2 yrs

So we tried this out on a Windows box, and it doesn't work. A number of problems here:

  • Prompts for password.
  • As soon as password it supplied it tries to open connection to RDP host, but 2nd factor has not yet been applied.
  • Returns to prompt for password, but it screen is locked and won't allow any action but Cancel, which does nothing. CTRL-ALT-DEL is required to kill RDM

This was with Enterprise trial, FYI.

Is there a way to configure it to know that a second authentication factor will be required-- another prompt? I couldn't find anything.

Clock2 yrs

Auth looks like this FYI:


$ ssh bastion.example.net
Password:
Enter PASSCODE:

Clock2 yrs

Hi again,

Now that I think of it, you're trying to do this with the SSH tunnels session. I don't think this is supported at all, this session does not handle prompting for more information (if that, as I understand, what you'd want it to do).

Returns to prompt for password, but it screen is locked and won't allow any action but Cancel, which does nothing. CTRL-ALT-DEL is required to kill RDM

I'm not sure I understand that. What is locked? The RDP session? Or the tunnel sessions? Could you provide a print screen of the locked application?

Best regards,

Xavier Fortin

signaturesignature

Clock2 yrs

Xavier Fortin wrote:

Now that I think of it, you're trying to do this with the SSH tunnels session. I don't think this is supported at all...


Yeah, who would have guessed that I was doing this when I said "using RDM with RDP via SSH tunnel" -- totally wasn't clear, was I?

Clock2 yrs

Could you provide a print screen of the locked application?

Not in a public forum. Give me a place to send it which will be treated as confidential.

Clock2 yrs

You can send it there: xfortin@devolutions.net

Btw, sorry for having misunderstood the issue. I assumed too quickly that something that worked in SSH Shell would work in the SSH Tunnel too. No need to get irritable for this.

Best regards,

Xavier Fortin

signaturesignature

Clock2 yrs

I sent it to you with a description.

I'm confused, as the ability to create a log file doesn't seem to exist any more. How do I send you debug logs of the transaction?

Clock2 yrs

Hi Jo,

I'm pretty sure the freeze is caused by the tunnel not expecting to have to wait for another prompt (in this case, the two factor authentication). It then freeze in the connect process, waiting for a key that can't be entered since the terminal does not take input.

I'll see what we can do.

Best regards,

Xavier Fortin

signaturesignature

Clock2 yrs

So I understand that RDM doesn't have the logic to handle this scenario correctly... but unexpected responses should not cause RDM to hang completely. This is clearly a failure of the most basic type of acceptance testing.

Clock2 yrs

I do agree on it being a bug, I'm not going to disagree with you on that. This scenario has just not been tested. I'll be honest, RDM contains multiples features, which in turn supports many different scenarios. Often, many of those scenarios are not tested (often not even known to exists).

While for you, this probably appears like a basic feature or standard scenario, it is sometime not so simple. An SSH terminal is not often used as an automated tunnel session like we do, hiding the terminal itself (therefore, preventing interaction with it by the user). This makes it into a very unique situation that will need a very specific solution.

We'll setup an SSH server with two-factor authentication, reproduce the scenario and make a fix (adding the support for two-factors in Tunnels and Port Forward sessions at the same time).

Best regards,

Xavier Fortin

signaturesignature

Clock2 yrs

Xavier Fortin wrote:

We'll setup an SSH server with two-factor authentication, reproduce the scenario and make a fix (adding the support for two-factors in Tunnels and Port Forward sessions at the same time).


That sounds awesome. But I think your first target should be ensuring it doesn't lock up when encountering unexpected prompts ;-) And get that test in your acceptance tests.

A possible workaround might be to allow interactive input for the gateway setup, or allow an SSH Session to be opened first and the VPN connector to use either.

Clock2 yrs

Any updates on this? Right now I'm having conversations every hour with people who are newly being forced to RDP via newly implemented bastions, and they are asking what they can pay for to simplify the two-step process and I don't have an answer for them.

Clock2 yrs

Hi Jo,

We've setup a server (with Google Auth in our case) and I've forwarded this to Denis, but I think he has been quite occupied recently. I don't know if he had the time to look into this. I'll see with him.

Best regards,

Xavier Fortin

signaturesignature

Clock2 yrs

Hi Jo,

I've spoken to Denis and he would like another thing from you if it's possible. Could you generate the log (with Verbose 2) to your server (requiring 2FA) with an SSH session and send it back to us. He'd like to get a bit more details on the interaction between the client and the server before diving into this.

Best regards,

Xavier Fortin

signaturesignature

Clock2 yrs

Do you mean verbose log from ssh client, aka "ssh -vv server" or do you mean an RDM log of the interaction where I'm forced to kill off RDM?

Clock2 yrs

Hi Jo,

You can log to a file, so even after force quitting RDM, you should have the logs in the file:

SSHLog

Best regards,

Xavier Fortin

signaturesignature

SSHLog.png
Clock2 yrs

Hi Xavier,

I am reviving this post because I have the exact same issue.
My SSH server is portected with google 2-factor authentication (libpam-google-authenticator).
When I try to open a RDP tunnel, I can see the "Verification code:" in the SSH prompt but can't interact with it. RDM is already opening the RDP connection (which fails).
Would you be able to help with this?


Kind regards,


Lat

Clock11 mths

Hi,

This hasn't been done yet. I'll increase the priority and try to have it done for an upcoming release.

Best regards,

Xavier Fortin

signaturesignature

Clock11 mths

Awesome, Thanks Xavier!

Clock11 mths

Hi,

This has been done and will be available in the next release of RDM Mac.

For it to work you'll need to use the Standard (presently Experimental) engine. You can change this globally for all session in the preferences (Preferences -> Session Type -> SSH Shell -> General -> Engine).

SSHEngine

You'll also need to set your session to use Interactive authentication in terminal (in your session settings SSH Tunnel -> Advanced -> Interactive authentication in terminal).

InteractiveAuthenticationInTerminal

With Interactive authentication in terminal enabled, your password won't be automatically filled anymore. If you still wan't it to be, you'll need to fill the Terminal -> "Password prompt string" with the expected password label.

PasswordPromptString

Best regards,

Xavier Fortin

signaturesignature

SSHEngine.png
InteractiveAuthenticationInTerminal.png
PasswordPromptString.png
Clock11 mths