Unable to log in with 2FA hw token
Haarolean opened this issue · 2 comments
Summary
It's impossible to log in if the only available way for 2FA is U2F hw token.
I have no mobile phone (duo app) set up, just a u2f token, and logging via ssh asked for some pass code.
haarolean@haarolean-laptop:[~]$ ssh xxx@yyy
Password:
Duo two-factor login for zabaluev-ra
Enter a passcode or select one of the following options:
Passcode: ccccccknbjfceihdlrhvdcieuikkfduvjtbirdfrtihc
Incorrect passcode. Please try again.
How it looks if there's an app active:
haarolean@haarolean-laptop:[~]$ ssh xxx@yyy
Password:
Duo two-factor login for zabaluev-ra
Enter a passcode or select one of the following options:
1. Duo Push to +X XXX XXX-X1-24
2. Phone call to +X XXX XXX-X1-24
3. SMS passcodes to +X XXX XXX-X1-24
Passcode or option (1-3):
So,
- it's impossible to log in via u2f token
- Output is ambiguous
There are certainly pam modules out there which support this kind of auth, like yubikey pam. Is that possible to adapt such a thing? Otherwise, u2f token just for web is just useless.
Steps to reproduce
- Enable duo with U2F token.
- Try to SSH
Specs
- Amazon Linux 2 AMI
- x86_64
- pam_duo
Thanks for the issue.
Hopefully to clear up the output, passcode refers to a passcode that is generated on Duo Mobile.
Unfortunately Duo Unix does not have U2F support currently. Duo Unix uses our auth api endpoints which do not have U2F support either. Please make a feature request to request Duo Unix with U2F support.
hw token support in the Auth API is not planned by Duo at this time.