2FA / ssh tunnel

[gothicVI]

Me again ;)

Any chance to get 2FA via an interactive authentication working?
I even copied the .vscodium-server directory to the remote but when trying to connect I'm only getting:

[Info  - 06:08:08.798] Resolving ssh remote authority 'ssh-remote+HOSTNAME' (attemp #1)
[Trace  - 06:08:08.810] Identity keys:
/home/XXX/.ssh/id_rsa ssh-rsa SHA256:YYY
/home/XXX/.ssh/id_ecdsa ecdsa-sha2-nistp521 SHA256:ZZZ
[Info  - 06:08:08.840] Trying no-auth authentication
[Error  - 06:08:08.856] Error resolving authority
Error: All configured authentication methods failed
	at _e (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:140273)
	at t.RemoteSSHResolver.sshAuthHandler (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:379385)
	at authHandler (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:373963)
	at Ie (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:143146)
	at USERAUTH_FAILURE (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:132360)
	at 51 (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:283338)
	at e.exports.x (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:153888)
	at x.decrypt (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:246923)
	at e.exports.D [as _parse] (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:153412)
	at e.exports.parse (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:157215)
	at Socket.<anonymous> (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:139013)
	at Socket.emit (node:events:526:28)
	at Socket.emit (node:domain:475:12)
	at addChunk (node:internal/streams/readable:315:12)
	at readableAddChunk (node:internal/streams/readable:289:9)
	at Readable.push (node:internal/streams/readable:228:10)

As far as I can see in that file, keyboard interactive should in principle exist though it never seems to be called.
The host requires a PW and a interactive 2FA. Another host that also fails requires an identity key and a interactive 2FA.
Is there any more information I could provide?

[gothicVI]

I've managed to get one step further using ssh-tunnel port forwarding:
Via ssh -f HOSTNAME -N -L localhost:9000:HOST:22 I can bind the remote port to localhost.
The ~/.ssh/config entry for HOSTNAME defines a jumphost that requires the 2FA authentication.
This works well and I can then in a terminal connect to HOST via ssh HOSTUSER@localhost -p 9000.
However, in VScodium I'm getting asked for a password of HOSTUSER that is not accepted which is not the case in the terminal as I have passwordless authentication via ssh keys enabled. The keys are specified in the HOSTNAME entry and the defined jumphost has ForwardAgent yes.
The log is:

[Info  - 07:22:34.910] Resolving ssh remote authority 'ssh-remote+HOSTUSER@localhost:9000' (attemp #1)
[Trace  - 07:22:34.925] Identity keys:
/home/XXX/.ssh/id_rsa ssh-rsa SHA256:YYY
/home/XXX/.ssh/id_ecdsa ecdsa-sha2-nistp521 SHA256:ZZZ
[Info  - 07:22:34.953] Trying no-auth authentication
[Info  - 07:22:34.960] Trying publickey authentication: /home/XXX/.ssh/id_rsa ssh-rsa SHA256:YYY
[Info  - 07:22:34.966] Trying publickey authentication: /home/XXX/.ssh/id_ecdsa ecdsa-sha2-nistp521 SHA256:ZZZ
[Info  - 07:22:34.973] Trying password authentication
[Error  - 07:24:04.926] Error resolving authority
Error: Timed out while waiting for handshake
	at Timeout.<anonymous> (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.10/out/extension.js:1:143509)
	at listOnTimeout (node:internal/timers:559:17)
	at process.processTimers (node:internal/timers:502:7)

[gothicVI]

I got it working. Here's how for anyone having the same issue:
My .ssh/config:

Host remote_behind_2FA_jumphost
    HostName REMOTE_IP
    User REMOTE_USER
    Port REMOTE_PORT
    ForwardAgent no
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    PreferredAuthentications publickey
    ProxyJump jumphost

Host jumphost
    HostName JUMP_IP
    User JUMP_USER
    Port JUMP_PORT
    ForwardAgent yes

Establish an ssh-tunnel via

ssh -f remote_behind_2FA_jumphost -N -L localhost:9000:REMOTE_IP:22

Create a separate ssh config file for vscodium and point the extension to it containing:

Host remote_behind_2FA_jumphost
    HostName localhost
    User REMOTE_USER
    Port 9000
    ForwardAgent no
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    PreferredAuthentications publickey

Connect. Be happy.
Sorry for the additional issue but maybe you want to document the two issued I submitted for all users to find them.
If you accept PRs I'd happily do that :)

[jeanp413]

keyboard interactive is not implemented yet, I left it as a TODO as I've never use it before 😄, but I think it should be straightforward to do it here
Looking at the ssh library docs seems we just need to show an input box for the user to enter the required input (same as the password case)
Will take a look over the weekend or you can give it a try and do a PR 👍

[gothicVI]

I have sadly zero experience with JS so I won't be able to give it a shot.
I'd though be willing to test/trouble shoot 😄

[jeanp413]

@gothicVI released v0.0.11 handling keyboard interactive auth, could you test it 🙏

[lucasvbeek]

@jeanp413 after updating to v0.0.11, and patching a small bug in ssh2, keyboard-interactive 2FA is working perfectly for me!

This patch was necessary because the partial success response was ignored when using agent authentication.
mscdex/ssh2#1215

[jeanp413]

Good catch @lucasvbeek hope it gets merged 🤞 if not I think I'd look into forking the library and cherry-pick you PR 👍

[gothicVI]

@jeanp413 sorry for the late reply. I haven't found the time to test yet and with the missing fix to ssh2 I'll wait for a bit until I will.
Thanks so much for the effort though.

[gothicVI]

@jeanp413 I've tried v0.0.12 now but am getting the following error:

[Info  - 07:08:18.156] Resolving ssh remote authority 'ssh-remote+HOST' (attemp #1)
[Trace  - 07:08:18.170] Identity keys:
/home/XXX/.ssh/id_rsa ssh-rsa SHA256:YYY
[Info  - 07:08:18.208] Trying no-auth authentication
[Info  - 07:08:18.225] Trying publickey authentication: /home/XXX/.ssh/id_rsa ssh-rsa SHA256:YYY
[Error  - 07:08:18.248] Error resolving authority
Error: All configured authentication methods failed
	at _e (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:140273)
	at t.RemoteSSHResolver.sshAuthHandler (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:380356)
	at authHandler (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:374226)
	at ye (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:143146)
	at me (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:143330)
	at USERAUTH_FAILURE (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:132306)
	at 51 (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:283338)
	at e.exports.x (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:153888)
	at x.decrypt (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:246923)
	at e.exports.D [as _parse] (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:153412)
	at e.exports.parse (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:157215)
	at Socket.<anonymous> (/home/XXX/.vscode-oss/extensions/jeanp413.open-remote-ssh-0.0.12/out/extension.js:1:139013)
	at Socket.emit (node:events:526:28)
	at Socket.emit (node:domain:475:12)
	at addChunk (node:internal/streams/readable:315:12)
	at readableAddChunk (node:internal/streams/readable:289:9)
	at Readable.push (node:internal/streams/readable:228:10)
	at TCP.onStreamRead (node:internal/stream_base_commons:190:23)

where the config entry is

Host HOST
    HostName FQDN
    User XXX
    Port 22
    ForwardAgent yes
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    PreferredAuthentications publickey,keyboard-interactive

which requires 2FA. Is this due to the bug mentioned by @lucasvbeek?

[jeanp413]

yeah I'll fork the library and cherry-pick his commit as it's really small and not sure when it's gonna be merged upstream