Let user handle keyboard-interactive events

[MattCatz]

Keyboard-interactive events can have multiple steps. Tweak the existing kbd_callback to massage prompts into a format that an end user can handle from python.

New public method userauth_keyboardinteractive_callback added to the session class to maintain backwards compatibility. See new example script for usage.

I didn't add any new test case since I'm not really sure how it would fit into the existing set-up. To test locally I set spun up a ssh server inside a docker container¹ and pointed the example script at it. Below is an example command I used:

OTP=$(oathtool --totp -d 6 12345678909876543210)
python ./examples/keyboard_interactive_auth.py --host 127.0.0.1 --port 2022 -u sshuser $OTP 552099 hostname

Example Dockerfile

SSH server with MFA

FROM debian:latest

RUN apt-get update && apt-get install -y \
  openssh-server \
  libpam-oath \
  oathtool \
  && rm -rf /var/lib/apt/lists/*

RUN groupadd sshgroup
RUN useradd -ms /bin/bash -g sshgroup -p '$1$sshuser$TCmWDAEGpJ.Z.Sj/NN02I.' sshuser

RUN echo 'HOTP/T30/6 sshuser - 12345678909876543210' > /etc/users.oath 
RUN chmod 600 /etc/users.oath
RUN echo 'auth	  required pam_oath.so usersfile=/etc/users.oath window=30 digits=6' >> /etc/pam.d/sshd
run cat /etc/pam.d/sshd


RUN echo 'ChallengeResponseAuthentication yes \nKbdInteractiveAuthentication yes\n' >> /etc/ssh/sshd_config.d/otp.conf
RUN service ssh start
EXPOSE 22
CMD ["/usr/sbin/sshd","-D"]

Footnotes

1. ↩

[pkittenis]

Thanks, will update branch to get this in.

[pkittenis]

Updated in #225 - added tests, merged with latest master.