True 2FA/MFA over SSH2/SFTP via keyboard-interactive authentication and Google Authenticator
The technique explained in this article requires WebClient, as well as scripting and event-handling capabilities. Therefore, it can only be employed by customers who are running the Professional, Professional+WebClient, or Ultimate editions of our software.
Every good system administrator knows that the SSH2 protocol (and, therefore, all of its subsystems, including SFTP) feature its own flavor of multi-phase authentication. But this is not what we're trying to accomplish with the technique explained in this knowledge base article.
What we're going to see is how to implement true 2FA/MFA via Google Authenticator (the same you use to log into the web UIs) by taking advantage of SSH2's keyboard-interactive authentication, and a little bit of scripting and event handling.
Before we begin we need to make sure the user(s) that we want to go through this type of 2FA/MFA have actually enrolled into Google Authenticator's 2FA via their WebClient!
First of all we need to write a script to add the questions we want the user to be asked next time they try to log in. There are three possible types of questions, the example script here below shows them all:
{
// ask for user's password
Session.AddQuestionPassword(0, "Password:");
// then ask for Google Authenticator's current OTP
Session.AddQuestionTOTP(1, "Authentication OTP:")
// Finally ask a question with a pre-fixed answer
Session.AddQuestion(2, "Your age:", 42, true);
}
Now we need to associate the above script to a very specific event handler: OnAuthInteractiveSetQuestions.
We also have to make sure that Keyboard-interactive authentication is enabled for the user(s) that we want to be able to log in this way:
And that's pretty much it. Next time the user tries to authenticate and attempts keyboard-interactive authentication, this is what happens:
Questions answered correctly, user logged in. Yay!