2nd Factor Auth. - Google Authenticator

[rmg55]

First off - thanks for this awesome project - I think it will be really useful for lots of folks.

I am having issues getting this to work with 2-factor authentication scheme on an HPC system. Our system uses Google Authenticator for a 6-digit code. The SSH login process looks like:

ssh username@host
Verification code:
Password:

When I try jupyter-forward I like:

jupyter-forward rowan.gaffney@ceres.scinet.usda.gov --launch-command "sbatch XXXXXXX" --notebook-dir=/lustre/project/cper_neon_aop/ --port=8889

I get the this error

Password:
Traceback (most recent call last):
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/paramiko/transport.py", line 1528, in auth_password
    return self.auth_interactive(username, handler)
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/paramiko/transport.py", line 1633, in auth_interactive
    return self.auth_handler.wait_for_response(my_event)
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/paramiko/auth_handler.py", line 250, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/rowangaffney/miniconda3/bin/jupyter-forward", line 10, in <module>
    sys.exit(main())
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/jupyter_forward/cli.py", line 97, in main
    typer.run(app())
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/typer/main.py", line 214, in __call__
    return get_command(self)(*args, **kwargs)
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/typer/main.py", line 497, in wrapper
    return callback(**use_params)  # type: ignore
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/jupyter_forward/cli.py", line 91, in start
    shell=shell,
  File "<string>", line 11, in __init__
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/jupyter_forward/core.py", line 52, in __post_init__
    self.session.open()
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/fabric/connection.py", line 634, in open
    self.client.connect(**kwargs)
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/paramiko/client.py", line 446, in connect
    passphrase,
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/paramiko/client.py", line 764, in _auth
    raise saved_exception
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/paramiko/client.py", line 751, in _auth
    self._transport.auth_password(username, password)
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/paramiko/transport.py", line 1531, in auth_password
    raise e
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/paramiko/transport.py", line 1509, in auth_password
    return self.auth_handler.wait_for_response(my_event)
  File "/home/rowangaffney/miniconda3/lib/python3.7/site-packages/paramiko/auth_handler.py", line 250, in wait_for_response
    raise e
paramiko.ssh_exception.BadAuthenticationType: Bad authentication type; allowed types: ['keyboard-interactive']

Seems like an authentication issue. I tried to work thru fabric --> paramiko authentication workflow, but had no luck. Then I saw this #7, but the solution was posted in that issue.

Tagging @andersy005 b/c I think you might be able to help me with this - thanks!

[andersy005]

@rmg55, thank you for opening this issue! I'm glad to hear that this is useful for other folks.

So, I just revisited #7, and it turns out that our current auth mechanism works when the 2FA authentication is initiated via push notification on an app like Duo. For 2FA mechanism that requires the user to input both the password and token from two separate prompts, we will need to add a new option to signal to jupyter-forward that

• it should prompt for both the password and the token separately.
• it should propagate the password and token to paramiko.transport.auth_interactive

I will look into this in the next few days, and will get back to you once I have a solution..

References:

• 2 factor auth (google authenticator) fails after successful login paramiko/paramiko#1199
• https://stackoverflow.com/questions/43903875/python-paramiko-client-multifactor-authentication
• https://stackoverflow.com/questions/53761170/ssh-with-2fa-in-python-using-paramiko

Thank you @mnlevy1981 for the clarification and pointers to potential solutions....

[rmg55]

Excellent @andersy005 - thanks for the clarification.

Cheers!

[mnlevy1981]

@rmg55 -- does #51 work for you? I can't make you an official reviewer, but would appreciate your feedback.

[rmg55]

Solved by #51