How to prompt users for duo mfa after entering username/password on master

Hello,

I am pretty new to Thinlinc but trying to tinker a few things. I am needing to force users to be prompted for duo when logging into the Thinlinc master. Users will be prompted when attempting to access the server via ssh connections but not while logging in through Thinlinc. I have attempted to follow the documentation from google authenticator being added but it does not seem to work. Any help would be appreciated.

Thanks,

Hi @pzc0065,

I believe @wilsj has been helping you with this via other channels, but if you do manage to solve the issue, it would be great if you could update this thread with your findings. It might help others with the same question in future, and would be much appreciated :slight_smile:

Let us know how you get on!

Hello Aaron,

Yes, I am receiving assistance with this now. I will provide notes on our findings once with this resolved. Thank you to both you and @wilsj

1 Like

Has this been resolved? We’re having the exact same issue.

Hi @Adam,

Looking through the support tickets, I don’t think this was resolved. @pzc0065 is that correct?

Which client were you experiencing the issue with, the native client, the web client, or both?

Hi Aaron,

We’ve been working with the native client: we’re only allowing ssh-keys as the first authentication factor and because I don’t know if we can apply the same restrictions (eg: -noclipboard as an xserver argument) to a web session.

Our sshd_config file restricts user logins to the vsmagent:

Match User *,!cfgmgt

ForceCommand thinlinc-login -c “${SSH_ORIGINAL_COMMAND}”

AuthenticationMethods publickey

What doesn’t work is when we try this:
Match User *,!cfgmgt

ForceCommand thinlinc-login -c “${SSH_ORIGINAL_COMMAND}”

AuthenticationMethods publickey keyboard-interactive:pam

…without ForceCommand defined we can ssh in directly and get the expected DUO response.

Thank you,

Adam

Hello,

We were never able to resolve the issue. From what I recall, the changes must be made within the thinlinc file located within /etc/pam.d/thinlinc. Here there is a symlink between sshd and thinlinc config files. I would make changes here but it seemed to cause more harm than good.

@Adam probably the issue you’re running into is this one here:

https://bugzilla.cendio.com/show_bug.cgi?id=4962

You may find some useful info in the comments there. But to summarise, the ThinLinc client unfortunately doesn’t support chaining together multiple authentication methods as per your PAM configuration above.

I hope that answers your question, but let me know if you need further info.