Hi,
I am attempting to setup google auth/ two factor with public key authentication. So the use case we require is.
Login from the thinlic clicent with the private key, Type the pass phrase, prompt for two factor, session begin.
However we seems that thinlinc client returns “You are not authorised to connect to this server”
If you connect from a text ssh session it logs in as you would expect with pass phrase and two factor code. I have looked through other threads that have mentioned there is a problem with using both private key and password auth however we are just using private key and two factor.
Is this a supported combination There seems to be some conflicting info regarding this.
System is ubuntu with sshd_config
UsePAM yes PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication yes AuthenticationMethods publicket,keyboard-interactive:pam
Just for the sheer hell of it I experimented by binary patching the tlclient.bin placing a zero byte at the start of the “ChallengeReponseAuthentication=no” and “KbdInteractiveAuthentication=no” strings, and with this hack, 2FA with an SSH key and a OTP using Google Auth worked perfectly.
To prevent being asked for a second OTP, you can also set “grace_period=15” in the pam_google_authenticator.so parameters.
(This is on the Linux x86_64 client, version 4.17.0)
Unfortunately, since this is a hack it’s not something I can roll out to other users, however corporate are mandating SSH keys + 2FA.
Perhaps in the configuration for SSH key,the Thinlinc client could provide a tick box that disables sending the above strings to the SSH client?