dropbear icon indicating copy to clipboard operation
dropbear copied to clipboard
verified publisher icon mkj

Two-factor authentication support (pubkey and password)

Open Jackkal opened this issue 3 years ago • 2 comments

This patch introduces two-factor authentication to require both password and pubkey authentication. The two-factor authentication can be enabled with "-t"

Background: We are using ssh in an environment where the security policy mandates multi-method authentication for SSH (both password and pubkey). Dropbear does currently not support this but this is defined in the RFC and supported by other mainstream SSH servers. Unfortunately the security policy cannot be changed. The patch is kept very small and code flow is not changed when the -t option is not used to avoid any regressions. Only 1 new variable is introduced to keep track of the config setting. The existing variable ses.authstate.authtypes is used to keep track of the successful authentications and a "partial success" message as defined in the RFC4252 is sent after one of the auth methods has successfully completed. The patch was validated with different ssh clients (dbclient, openssh, putty).

Jackkal avatar Apr 29 '22 14:04 Jackkal

Thanks @Jackkal . This looks good, I'll give it a try out and closer review soon.

mkj avatar May 02 '22 02:05 mkj

Hi @mkj , Did you manage to take a closer look at the PR. Do you have any specific comments/concerns regarding the feature or the approach? Thanks.

Jackkal avatar Jun 24 '22 08:06 Jackkal

Thanks for the PR, sorry I took so long to get it merged.

mkj avatar Nov 09 '22 09:11 mkj