pam_duo breaks the software . But is this a minor change?

[brianlayman]

A client recently added pam_duo to their servers, which integrates push 2fa with all ssh logins. I have to admit, it's pretty awesome.

From what I can tell from the logs, instead of the expected SSH2_MSG_KEX_ECDH_REPLY after the key is sent, the server now sends a SSH2_MSG_SERVICE_ACCEPT and pauses the login process until DUO receives authorization from its client app. (Note: I do not have a before and after. I'm assuming this is where it breaks down because of the comment in the log saying it is expecting a certain message.)
Putty/Kitty can handle this and move on, however NetDrive 2, NetDrive 3, and SSHFS-Win/SSHFS-Win Manager cannot.

I am attaching a set of lightly censored logs to show what is happening. I'm wondering if any of the devs who work on this project (THANK YOU btw) would be able to evaluate if it would be easy or not to modify the code to support this push 2fa method.

I can see it becoming more popular in the future and I'd hate to lose all of my SFTP drives. But I can't even estimate the scope of making a change to support this. Do any of you have any gut level thoughts on it? I've been in the PHP/JS world long enough now that I don't even have any compilers on my Windows PC any more, but I can go down that path again if it looks like it would be worth it, or "officially" put it in as a feature request and see if anyone wants to show mercy. :) So, what do you think?

See also: https://duo.com/docs/duounix

---

LOG 1
FAILED WinFSP/SSHFS-Win/SSHFS-Win Manager connection:
(IP & Identifying info changed or removed to protect the innocent.)

---

---

date: 2022-06-21T20:39:52.344Z
conn: {d56b34ab-a42e-4dc2-aeaa-9e533e3488b2} (Staging)
conntype: key-file
{d56b34ab-a42e-4dc2-aeaa-9e533e3488b2} stderr: SSHFS version 3.5.2
{d56b34ab-a42e-4dc2-aeaa-9e533e3488b2} stderr: debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
{d56b34ab-a42e-4dc2-aeaa-9e533e3488b2} stderr: debug1: Connection established.
{d56b34ab-a42e-4dc2-aeaa-9e533e3488b2} stderr: debug1: SSH2_MSG_KEXINIT sent
{d56b34ab-a42e-4dc2-aeaa-9e533e3488b2} stderr: debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
{d56b34ab-a42e-4dc2-aeaa-9e533e3488b2} stderr: debug1: Server host key: ecdsa-sha2-nistp256 SHA256:...
{d56b34ab-a42e-4dc2-aeaa-9e533e3488b2} stderr: debug1: SSH2_MSG_SERVICE_ACCEPT received
{d56b34ab-a42e-4dc2-aeaa-9e533e3488b2} stderr: read: Connection reset by peer
{d56b34ab-a42e-4dc2-aeaa-9e533e3488b2} exit: 1

---

LOG 2
WORKING PUTTY/KITTY connection
(IP & Identifying info changed or removed to protect the innocent.)

---

============ PuTTY log 2022.06.21 16:43:17 ============
Event Log: Looking up host "127.0.0.1" for SSH connection
Event Log: Connecting to 127.0.0.1 port 22
Event Log: We claim version: SSH-2.0-PuTTY_KiTTY
Event Log: Remote version: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
Event Log: Using SSH protocol version 2
Event Log: No GSSAPI security context available
Outgoing packet #0x0, type 20 / 0x14 (SSH2_MSG_KEXINIT)
Incoming packet #0x0, type 20 / 0x14 (SSH2_MSG_KEXINIT)
Event Log: Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (SHA-NI accelerated)
Outgoing packet #0x1, type 30 / 0x1e (SSH2_MSG_KEX_ECDH_INIT)
Incoming packet #0x1, type 31 / 0x1f (SSH2_MSG_KEX_ECDH_REPLY)
Incoming packet #0x2, type 21 / 0x15 (SSH2_MSG_NEWKEYS)
Event Log: Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
Event Log: Host key fingerprint is:
Event Log: ssh-ed25519 255 ...
Outgoing packet #0x2, type 21 / 0x15 (SSH2_MSG_NEWKEYS)
Event Log: Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Event Log: Initialised HMAC-SHA-256 (SHA-NI accelerated) outbound MAC algorithm
Event Log: Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Event Log: Initialised HMAC-SHA-256 (SHA-NI accelerated) inbound MAC algorithm
Outgoing packet #0x3, type 5 / 0x05 (SSH2_MSG_SERVICE_REQUEST)
00000000 00 00 00 0c 73 73 68 2d 75 73 65 72 61 75 74 68 ....ssh-userauth
Incoming packet #0x3, type 6 / 0x06 (SSH2_MSG_SERVICE_ACCEPT)
00000000 00 00 00 0c 73 73 68 2d 75 73 65 72 61 75 74 68 ....ssh-userauth
Event Log: Reading key file "ed25519.ppk"
Outgoing packet #0x4, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
00000010 2d 63 6f 6e 6e 65 63 74 69 6f 6e 00 00 00 04 6e -connection....n
00000020 6f 6e 65 one
Incoming packet #0x4, type 51 / 0x33 (SSH2_MSG_USERAUTH_FAILURE)
00000000 00 00 00 09 70 75 62 6c 69 63 6b 65 79 00 ....publickey.
Event Log: Offered public key
Outgoing packet #0x5, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
Incoming packet #0x5, type 60 / 0x3c (SSH2_MSG_USERAUTH_PK_OK)
Event Log: Offer of public key accepted
Event Log: Sent public key signature
Outgoing packet #0x6, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
Incoming packet #0x6, type 51 / 0x33 (SSH2_MSG_USERAUTH_FAILURE)
00000000 00 00 00 14 6b 65 79 62 6f 61 72 64 2d 69 6e 74 ....keyboard-int
00000010 65 72 61 63 74 69 76 65 01 eractive.
Event Log: Further authentication required
Event Log: Attempting keyboard-interactive authentication
Outgoing packet #0x7, type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)
00000010 2d 63 6f 6e 6e 65 63 74 69 6f 6e 00 00 00 14 6b -connection....k
00000020 65 79 62 6f 61 72 64 2d 69 6e 74 65 72 61 63 74 eyboard-interact
00000030 69 76 65 00 00 00 00 00 00 00 00 ive........
Incoming packet #0x7, type 60 / 0x3c (SSH2_MSG_USERAUTH_INFO_REQUEST)
Outgoing packet #0x8, type 2 / 0x02 (SSH2_MSG_IGNORE)
Outgoing packet #0x9, type 61 / 0x3d (SSH2_MSG_USERAUTH_INFO_RESPONSE)
Incoming packet #0x8, type 52 / 0x34 (SSH2_MSG_USERAUTH_SUCCESS)
Event Log: Access granted
Event Log: Requesting remote port 9000 forward to 127.0.0.1:9000
Event Log: Opening main session channel
Outgoing packet #0xa, type 80 / 0x50 (SSH2_MSG_GLOBAL_REQUEST)
00000000 00 00 00 0d 74 63 70 69 70 2d 66 6f 72 77 61 72 ....tcpip-forwar
00000010 64 01 00 00 00 09 6c 6f 63 61 6c 68 6f 73 74 00 d.....localhost.
00000020 00 23 28 .#(
Outgoing packet #0xb, type 90 / 0x5a (SSH2_MSG_CHANNEL_OPEN)
00000000 00 00 00 07 73 65 73 73 69 6f 6e 00 00 01 00 00 ....session.....
00000010 00 40 00 00 00 40 00 .@...@.
Incoming packet #0x9, type 80 / 0x50 (SSH2_MSG_GLOBAL_REQUEST)
00000000 00 00 00 17 68 6f 73 74 6b 65 79 73 2d 30 30 40 ....hostkeys-00@
00000010 6f 70 65 6e 73 73 68 2e 63 6f 6d 00 00 00 01 17 openssh.com.....
00000020 00 00 00 07 73 73 68 2d 72 73 61 00 00 00 03 01 ....ssh-rsa.....
...
Incoming packet #0xa, type 4 / 0x04 (SSH2_MSG_DEBUG)
00000010 2f 2e 73 73 68 2f 61 75 74 68 6f 72 69 7a 65 64 /.ssh/authorized
00000020 5f 6b 65 79 73 3a 31 3a 20 6b 65 79 20 6f 70 74 _keys:1: key opt
00000030 69 6f 6e 73 3a 20 61 67 65 6e 74 2d 66 6f 72 77 ions: agent-forw
00000040 61 72 64 69 6e 67 20 70 6f 72 74 2d 66 6f 72 77 arding port-forw
00000050 61 72 64 69 6e 67 20 70 74 79 20 75 73 65 72 2d arding pty user-
00000060 72 63 20 78 31 31 2d 66 6f 72 77 61 72 64 69 6e rc x11-forwardin
00000070 67 00 00 00 00 g....
Event Log: Remote debug message: /home/whatever/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Incoming packet #0xb, type 4 / 0x04 (SSH2_MSG_DEBUG)
00000010 2f 2e 73 73 68 2f 61 75 74 68 6f 72 69 7a 65 64 /.ssh/authorized
00000020 5f 6b 65 79 73 3a 31 3a 20 6b 65 79 20 6f 70 74 _keys:1: key opt
00000030 69 6f 6e 73 3a 20 61 67 65 6e 74 2d 66 6f 72 77 ions: agent-forw
00000040 61 72 64 69 6e 67 20 70 6f 72 74 2d 66 6f 72 77 arding port-forw
00000050 61 72 64 69 6e 67 20 70 74 79 20 75 73 65 72 2d arding pty user-
00000060 72 63 20 78 31 31 2d 66 6f 72 77 61 72 64 69 6e rc x11-forwardin
00000070 67 00 00 00 00 g....
Incoming packet #0xc, type 82 / 0x52 (SSH2_MSG_REQUEST_FAILURE)
Incoming packet #0xd, type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)
00000000 00 00 01 00 00 00 00 00 00 00 00 00 00 00 80 00 ................
Event Log: Remote debug message: /home/whatever/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Event Log: Remote port forwarding from 9000 refused
Event Log: Opened main channel
Outgoing packet #0xc, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 07 70 74 79 2d 72 65 71 01 ........pty-req.
00000010 00 00 00 05 78 74 65 72 6d 00 00 00 50 00 00 00 ....xterm...P...
00000020 18 00 00 00 00 00 00 00 00 00 00 00 15 03 00 00 ................
00000030 00 7f 2a 00 00 00 01 80 00 00 96 00 81 00 00 96 ...............
00000040 00 00 ..
Outgoing packet #0xd, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 05 73 68 65 6c 6c 01 ........shell.
Incoming packet #0xe, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
00000000 00 00 01 00 ....
Incoming packet #0xf, type 93 / 0x5d (SSH2_MSG_CHANNEL_WINDOW_ADJUST)
00000000 00 00 01 00 00 20 00 00 ..... ..
Incoming packet #0x10, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
00000000 00 00 01 00 ....
Incoming packet #0x11, type 94 / 0x5e (SSH2_MSG_CHANNEL_DATA)
00000000 00 00 01 00 00 00 01 53 41 75 74 6f 70 75 73 68 .......SAutopush
00000010 69 6e 67 20 6c 6f 67 69 6e 20 72 65 71 75 65 73 ing login reques
00000020 74 20 74 6f 20 70 68 6f 6e 65 2e 2e 2e 0d 0a 53 t to phone.....S
00000030 75 63 63 65 73 73 2e 20 4c 6f 67 67 69 6e 67 20 uccess. Logging
00000040 79 6f 75 20 69 6e 2e 2e 2e 0d 0a 57 65 6c 63 6f you in.....Welco
00000050 6d 65 20 74 6f 20 55 62 75 6e 74 75 20 32 30 2e me to Ubuntu 20.
00000060 30 34 2e 34 20 4c 54 53 20 28 47 4e 55 2f 4c 69 04.4 LTS (GNU/Li
00000070 6e 75 78 20 35 2e 31 33 2e 30 2d 31 30 32 35 2d nux 5.13.0-1025-
00000080 61 77 73 20 78 38 36 5f 36 34 29 0d 0a 0d 0a 20 aws x86_64)....
00000090 2a 20 44 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 3a * Documentation:
000000a0 20 20 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 75 https://help.u
000000b0 62 75 6e 74 75 2e 63 6f 6d 0d 0a 20 2a 20 4d 61 buntu.com.. * Ma
000000c0 6e 61 67 65 6d 65 6e 74 3a 20 20 20 20 20 68 74 nagement: ht
000000d0 74 70 73 3a 2f 2f 6c 61 6e 64 73 63 61 70 65 2e tps://landscape.
000000e0 63 61 6e 6f 6e 69 63 61 6c 2e 63 6f 6d 0d 0a 20 canonical.com..
000000f0 2a 20 53 75 70 70 6f 72 74 3a 20 20 20 20 20 20 * Support:
00000100 20 20 68 74 74 70 73 3a 2f 2f 75 62 75 6e 74 75 https://ubuntu
00000110 2e 63 6f 6d 2f 61 64 76 61 6e 74 61 67 65 0d 0a .com/advantage..
00000120 0d 0a 20 20 53 79 73 74 65 6d 20 69 6e 66 6f 72 .. System infor
00000130 6d 61 74 69 6f 6e 20 61 73 20 6f 66 20 54 75 65 mation as of Tue
00000140 20 4a 75 6e 20 32 31 20 31 33 3a 34 33 3a 32 34 Jun 21 13:43:24
00000150 20 50 44 54 20 32 30 32 32 0d 0a PDT 2022..
Incoming packet #0x12, type 94 / 0x5e (SSH2_MSG_CHANNEL_DATA)
00000000 00 00 01 00 00 00 00 7e 0d 0a 20 20 53 79 73 74 .......~.. Syst
00000010 65 6d 20 6c 6f 61 64 3a 20 20 30 2e 30 20 20 20 em load: 0.0
00000020 20 20 20 20 20 20 20 20 20 20 20 20 20 50 72 6f Pro
00000030 63 65 73 73 65 73 3a 20 20 20 20 20 20 20 20 20 cesses:
00000040 20 20 20 20 31 36 34 0d 0a 20 20 55 73 61 67 65 164.. Usage
00000050 20 6f 66 20 2f 3a 20 20 20 37 37 2e 33 25 20 6f of /: 77.3% o
00000060 66 20 39 36 2e 38 38 47 42 20 20 20 55 73 65 72 f 96.88GB User
00000070 73 20 6c 6f 67 67 65 64 20 69 6e 3a 20 20 20 20 s logged in:
00000080 20 20 20 31 0d 0a 1..
Incoming packet #0x13, type 94 / 0x5e (SSH2_MSG_CHANNEL_DATA)
00000000 00 00 01 00 00 00 00 5d 20 20 4d 65 6d 6f 72 79 .......] Memory
00000010 20 75 73 61 67 65 3a 20 36 30 25 20 20 20 20 20 usage: 60%
00000020 20 20 20 20 20 20 20 20 20 20 20 49 50 76 34 20 IPv4
00000030 61 64 64 72 65 73 73 20 66 6f 72 20 65 74 68 30 address for eth0
00000040 3a 20 31 37 32 2e 33 31 2e 33 32 2e 32 34 31 0d : 172.31.32.241.
00000050 0a 20 20 53 77 61 70 20 75 73 61 67 65 3a 20 20 . Swap usage:
00000060 20 30 25 0d 0a 0%..
Incoming packet #0x14, type 94 / 0x5e (SSH2_MSG_CHANNEL_DATA)
00000000 00 00 01 00 00 00 00 02 0d 0a ..........
Incoming packet #0x15, type 94 / 0x5e (SSH2_MSG_CHANNEL_DATA)
00000000 00 00 01 00 00 00 00 df 20 20 3d 3e 20 54 68 65 ........ => The
00000010 72 65 20 69 73 20 31 20 7a 6f 6d 62 69 65 20 70 re is 1 zombie p
00000020 72 6f 63 65 73 73 2e 0d 0a 0d 0a 20 2a 20 55 62 rocess..... * Ub
00000030 75 6e 74 75 20 50 72 6f 20 64 65 6c 69 76 65 72 untu Pro deliver
00000040 73 20 74 68 65 20 6d 6f 73 74 20 63 6f 6d 70 72 s the most compr
00000050 65 68 65 6e 73 69 76 65 20 6f 70 65 6e 20 73 6f ehensive open so
00000060 75 72 63 65 20 73 65 63 75 72 69 74 79 20 61 6e urce security an
00000070 64 0d 0a 20 20 20 63 6f 6d 70 6c 69 61 6e 63 65 d.. compliance
00000080 20 66 65 61 74 75 72 65 73 2e 0d 0a 0d 0a 20 20 features.....
00000090 20 68 74 74 70 73 3a 2f 2f 75 62 75 6e 74 75 2e https://ubuntu.
000000a0 63 6f 6d 2f 61 77 73 2f 70 72 6f 0d 0a 0d 0a 20 com/aws/pro....
000000b0 20 47 65 74 20 63 6c 6f 75 64 20 73 75 70 70 6f Get cloud suppo
000000c0 72 74 20 77 69 74 68 20 55 62 75 6e 74 75 20 41 rt with Ubuntu A
000000d0 64 76 61 6e 74 61 67 65 20 43 6c 6f 75 64 20 47 dvantage Cloud G
000000e0 75 65 73 74 3a 0d 0a uest:..
Event Log: Allocated pty
Event Log: Started a shell/command
Incoming packet #0x16, type 94 / 0x5e (SSH2_MSG_CHANNEL_DATA)
00000000 00 00 01 00 00 00 00 bc 20 20 20 20 68 74 74 70 ........ http
00000010 3a 2f 2f 77 77 77 2e 75 62 75 6e 74 75 2e 63 6f ://www.ubuntu.co
00000020 6d 2f 62 75 73 69 6e 65 73 73 2f 73 65 72 76 69 m/business/servi
00000030 63 65 73 2f 63 6c 6f 75 64 0d 0a 0d 0a 30 20 75 ces/cloud....0 u
00000040 70 64 61 74 65 73 20 63 61 6e 20 62 65 20 61 70 pdates can be ap
00000050 70 6c 69 65 64 20 69 6d 6d 65 64 69 61 74 65 6c plied immediatel
00000060 79 2e 0d 0a 0d 0a 0d 0a 2a 2a 2a 20 53 79 73 74 y.......** Syst
00000070 65 6d 20 72 65 73 74 61 72 74 20 72 65 71 75 69 em restart requi
00000080 72 65 64 20 2a 2a 2a 0d 0a 4c 61 73 74 20 6c 6f red ***..Last lo
00000090 67 69 6e 3a 20 54 75 65 20 4a 75 6e 20 32 31 20 gin: Tue Jun 21
000000a0 31 33 3a 34 31 3a 35 36 20 32 30 32 32 20 66 72 13:41:56 2022 fr
000000b0 6f 6d 20 31 30 34 2e 34 38 2e 31 36 35 2e 32 32 om 104.48.165.22
000000c0 32 0d 0d 0a 2...
Incoming packet #0x17, type 94 / 0x5e (SSH2_MSG_CHANNEL_DATA)

[brianlayman]

Note that, as far as similar solutions go, the last time I checked, WINFSP and NetDrive did not work, ExpanDrive does.