Forum / NoMachine for Windows / SSH authentication behavior
- This topic has 4 replies, 2 voices, and was last updated 7 years ago by
ebrandsberg.
-
AuthorPosts
-
July 19, 2018 at 07:47 #19044
ebrandsberg
ParticipantContext, NoMachine windows -> NoMachine on Linux via SSH
Authentication on the Linux side uses a) SSH keys (with password), b) Google authenticator and c) Unix password
The first issue is that when using ssh, it prompts for the ssh key passphrase even when puttyagent is being used to provide the key. This is confusing, as when puttyagent does provide the key, the passphrase is actually used to answer the google authenticator prompt. This is very confusing to users.
The second issue is that after passing the google authenticator prompt, it says authorization failed since the final unix password prompt is generated. The SSH handler should be aware of the different prompts for different purposes and generate a challenge to the user that provides proper context. Now, even though it says it failed, if they provide the Unix password, it does finally authenticate, but the prompts are extremely confusing.
I know that the preferred protocol is to use NX, but for our customers who’s data we are supporting, we want to be able to say that the ONLY protocol that is exposed for the server in question to the outside world is SSH. Is there any expected improvement in the handling of the ssh prompts to make them more context aware?
July 20, 2018 at 15:43 #19074Tor
ParticipantI’m surprised your authentication works! 😀 We don’t officially support a three-factor authentication, so I’m sure there is a lot of space for improvements. We’re doing tests in our labs to identify problems and required changes, I’ll send you an update as soon as we complete the investigation. Thank you for sharing your configuration. 🙂
July 23, 2018 at 09:18 #19079ebrandsberg
ParticipantTo be honest, I’m surprised every time a complex tool allows authentication this way. It is however, technically four factor authentication. 1) ssh key itself 2) the passcode to decrypt the ssh key, 3) google authenticator 4) the unix password. If there is any assistance needed to set this up, please let me know, as the authentication setup is quite confusing, in particular when puttyagent kicks in and bypasses the ssh key password for the user.
August 10, 2018 at 19:41 #19299Tor
ParticipantHi. We’re working on a version allowing to configure the authentication through SSH agent and better handling multiple factors. There are still some doubts about what to show to users and how to retrieve correct information, I’ll try to pack a testing version as soon as all changes will be completed.
August 13, 2018 at 09:03 #19300ebrandsberg
ParticipantI’m looking forward to testing a new version. My users are as well! If you want to look at another program that handled this well, WinSCP handles this cleanly, so you can use that as a baseline.
-
AuthorPosts
This topic was marked as closed, you can't post.