TOTP support

[simbun]

I'm currently using the Google Authenticator PAM module to enforce TOTP across a few of my servers, and I was wondering if you could support this?

When FFS encounters such a server the error from FFS is

Cannot find the following folders:

sftp://192.168.1.10/media/music
___________________________________________

Cannot read file attributes of "sftp://192.168.1.10".
LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED: Invalid signature for supplied public key, or bad username/public key combination [libssh2_userauth_publickey_frommemory]


Whilst in the auth.log you see

Jun 14 14:34:07 piMusicServer sshd[3737]: Received disconnect from 192.168.1.12 port 49970:11: FreeFileSync says "bye"! [preauth]
Jun 14 14:34:07 piMusicServer sshd[3737]: Disconnected from 192.168.1.12 port 49970 [preauth]


To make sure it's the TOTP requirement that caused the error I removed it from one server and it connected correctly.

Thanks

[Zenju]

Is this about adding two-factor authentication for SFTP or about some unrelated bug that happens to be triggered when Google Authenticator PAM module is available?

[simbun]

I removed the TOTP requirement from the sshd config and FFS was able to connect successfully, but with it enabled FFS fails, whilst WinSCP and MobaXterm are fine.
I've currently set a Match block in the sshd config that requires only publickey authentication for sftp only accounts (to get it working), but I'd rather have the secondary authentication available long-term.

[Zenju]

Is there some test server available that demonstrates this error?

[simbun]

I'm afraid there isn't one to my knowledge. I could build a Pi and stick in on a vlan if you wanted something to test against, but that would take a little time. Are you saying that you think it should be working?
Is there nothing I can run this end for you?

The following guide is how to set it up on Ubuntu:
https://www.digitalocean.com/community/tutorials/how-to-configure-multi-factor-authentication-on-ubuntu-18-04

[Zenju]

I could build a Pi and stick in on a vlan if you wanted something to test against, but that would take a little time.

That would be great! I just quickly tested setting up 2FA according to your link, but couldn't reproduce the login error.

Are you saying that you think it should be working?

If login works with different tools, it should work with FFS, too. But as always, nothing is guaranteed.

[simbun]

I just quickly tested setting up 2FA according to your link, but couldn't reproduce the login error.

That's strange, there's not a setting I should change for TOTP is there, as I'm only checking the Key file option and supplying the private key location?

Do you have a GPG key you could share, as I don't want to send out my server details and keys unencrypted if I can help it :-) I'll then send them across on email.
I've set up two accounts, one that needs TOTP in addition to a key and one that requires just a key so you can easily test both scenarios.

[simbun]

Any news on a key that I can use to encrypt the server details, or somewhere I can securely send them?

I've repurposed a Pi for this testing so would be good to get this done sooner rather than later.

[Zenju]

I don't have a GPG key, but you can encrypt the login info via this public key:

-----BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA1Oq/zre0HLevxfYLzoUj
mS1qL1Qemc6HoIqP9JmyGdk5uaiFtSSKOaWhFCVnzwiYe+BA4YXL1NIGI8mxMEek
V+HksO2rbOiAlvV35tPwWwgLNTMfE0QLnzGILS0T0yHM1My60r9Ca89CvprYdrAy
QWpV8ao1xV4OuWveAD8xxxtZlGtmOPREeWaH6UCgnoX6SJPXK/0uv0t2o+d9V/mC
xnr5XxLU8mrw4RiDn2SQoSEDzopXtO79SUo/PYxZvRewHEIT940JLMud1fkDMZ29
bkhkFrYNW1wAwZKBc5L1oeiuF8T/d9b5vIKiaZNlFTQTQ8pEMMdnR4+tze5SbqZz
0wIBEQ==
-----END PUBLIC KEY-----


https://www.czeskis.com/random/openssl-encrypt-file.html

[simbun]

Thanks. I've sent the files across using email.

[Zenju]

Unfortunately the LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED is not a bug (although the error message is misleading), but due to libssh2's missing support for two-factor: https://libssh2.org/mail/libssh2-devel-archive-2019-05/0020.shtml

Maybe two-factor isn't feasible with file syncing anyway?
As I understand it, two-factor authentication needs to run *each time* a new SSH session is created:

- If FFS is set up to use N sessions to speed up sync, N authentications (with user interaction!?) are required.
- When a session times out after ~20 seconds of being idle (e.g. the user examines the file list after a comparison, then wants to start sync), new authentications are needed!

[simbun]

That's surprising, and a little annoying, that libssh2 is missing TOTP support!

In terms of your other points; you can configure the Google TOTP PAM to allow the reuse of TOTP tokens (within a valid time interval), and you can also change the number of time intervals for which a token is valid (primarily to address time sync issues between servers) on a per user basis, so it'd be perfectly valid for me to allow reuse and make them valid for 2 time intervals, so, as long as all the sessions are authenticated within 60 seconds it should be fine (as long as sessions are reused).

Regarding the timeout, yes if the sessions do timeout they would require another token, which personally I don't think is a big deal, but can't the client also configure the timeout (I think OpenSSH achieves this by sending null packets to keep it alive)?

One of the main reasons I like to use TOTP is because it secures the servers against myself (or at least my PC), so even if I were to get malware on my PC, and the malware can read all the connections details from FFS (or any other product) it still can't get access to them without a TOTP token.

I get that TOTP muddies the waters with FFS functionality - especially realtime sync - so even if libssh2 did support it, I'd understand it if you were hesistant to implement it.

Thanks for looking into it for me.

[simbun]

I just had a quick look around and there is a sftp example on the libssh2 website that appears to implement TOTP (keyboard-interactive): https://www.libssh2.org/examples/sftp.html

Looking back at the forum post you linked to earlier it seems to be talking about an interaction between two clients (libssh2 and openssh) and not about keyboard-interactive logins generally not working.

Not expecting this to change anything, just thought it might be of some interest.