3

I'm trying to write a Python 3 script that will connect to a remote server via ssh and run a command, using the paramiko module.

The remote server uses Duo 2 factor authentication and prompts you to select an authentication mode when connecting using ssh:

$ ssh [email protected]
Duo two-factor login for myuser

Enter a passcode or select one of the following options:

 1. Duo Push to +XXX XX-XXX-1111
 2. Phone call to +XXX XX-XXX-1111
 3. SMS passcodes to +XXX XX-XXX-1111

Passcode or option (1-3): 1
Success. Logging you in...

When I use ssh in the terminal, I just press 1 and then Enter, get the push to my phone where I aprove the connection, and then I'm logged in.

I have not been able to do that in Python unfortunately. Here's the code I tried using:

import paramiko

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

ssh.connect('remoteserver.com', port=22, username='myuser', password='mypassword')
stdin, stdout, stderr = ssh.exec_command('ls -l')
output = stdout.readlines()
print(output)

If I try the same code on a remote server without 2FA, it works as expected but with this server, I get an authenticatino error:

paramiko.ssh_exception.AuthenticationException: Authentication failed.

Any help would be greatly appreciated.

Improve this question
1

1 Answer 1

Reset to default
5

Having just finally solved this problem myself in one of my projects going to leave the code I used which allowed for this work.

The main takeaway is that paramiko does allow for this to be done in the transport and prompts list and in my case i was missing the publickey method in my two_factor_types

def _auth(self, username, password, pkey, *args):
    self.password = password
    saved_exception = None
    two_factor = False
    allowed_types = set()
    two_factor_types = {'keyboard-interactive', 'password', 'publickey'}

References:
Paramiko/Python: Keyboard interactive authentication
https://github.com/paramiko/paramiko/pull/467
https://github.com/paramiko/paramiko/pull/467/commits/dae916f7bd6723cee95891778baff51ef45532ee
http://docs.paramiko.org/en/stable/api/transport.html

I would recommend trying something along the lines of auth_interactive_dumb

auth_interactive_dumb(username, handler=None, submethods='')

Authenticate to the server interactively but dumber. Just print the prompt and / or instructions to stdout and send back the response. This is good for situations where partial auth is achieved by key and then the user has to enter a 2fac token.

For more full example see excerpt and link below

Full SSH CLient Class for reference:

class SSHClient(paramiko.SSHClient):
    duo_auth = False

    def handler(self, title, instructions, prompt_list):
        answers = []
        global duo_auth

        if title.startswith('Duo two-factor login'):
            duo_auth = True
            raise SSHException("Expecting one field only.")

        for prompt_, _ in prompt_list:
            prompt = prompt_.strip().lower()
            if prompt.startswith('password'):
                answers.append(self.password)
            elif prompt.startswith('verification'):
                answers.append(self.totp)
            elif prompt.startswith('passcode'):
                answers.append(self.totp)
            else:
                raise ValueError('Unknown prompt: {}'.format(prompt_))
        return answers

    def auth_interactive(self, username, handler):
        if not self.totp:
            raise ValueError('Need a verification code for 2fa.')
        self._transport.auth_interactive(username, handler)

    def _auth(self, username, password, pkey, *args):
        self.password = password
        saved_exception = None
        two_factor = False
        allowed_types = set()
        two_factor_types = {'keyboard-interactive', 'password', 'publickey'}

        agent = paramiko.Agent()
        try:
            agent_keys = agent.get_keys()
            # if len(agent_keys) == 0:
            # return
        except:
            pass

        for key in agent_keys:
            logging.info("Trying ssh-agent key %s" % hexlify(key.get_fingerprint()))
            try:
                self._transport.auth_publickey(username, key)
                logging.info("... success!")
                return
            except paramiko.SSHException as e:
                logging.info("... nope.")
                saved_exception = e

        if pkey is not None:
            logging.info('Trying publickey authentication')
            try:
                allowed_types = set(
                    self._transport.auth_publickey(username, pkey)
                )
                two_factor = allowed_types & two_factor_types
                if not two_factor:
                    return
            except paramiko.SSHException as e:
                saved_exception = e

        if duo_auth or two_factor:
            logging.info('Trying 2fa interactive auth')
            return self.auth_interactive(username, self.handler)

        if password is not None:
            logging.info('Trying password authentication')
            try:
                self._transport.auth_password(username, password)
                return
            except paramiko.SSHException as e:
                saved_exception = e
                allowed_types = set(getattr(e, 'allowed_types', []))
                two_factor = allowed_types & two_factor_types

        assert saved_exception is not None
        raise saved_exception
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.