Using Two-Factor Authentication (2FA) with IPWorks SSH

SSH servers may be configured to require TOTP or HOTP based two-factor authentication using libraries like libpam-google-authenticator. In that case when connecting a user will be prompted to enter the one time code in addition to the standard credentials.

The IPWorks SSH Sftp component, when used in conjunction with IPWorks Auth HOTP or TOTP components, allows for two-factor authentication. Within the keyboard-interactive event of the SSH components the HOTP or TOTP component from IPWorks Auth can be used to retrieve the one time code.

Authentication Settings

After creating the component instance set the SSHAuthMode property to keyboard-interactive. For instance:


// Maintain this reference.
Stfp sftp1 = new Sftp();
// Set authorization mode
sftp1.SSHAuthMode = nsoftware.IPWorksSSH.SftpSSHAuthModes.amKeyboardInteractive;

Getting the One Time Code

During authentication the server will prompt the user for authentication. When this happens the SSHKeyboardInteractive event will fire. From within this event the Prompt parameter can be inspected to determine the information requested by the server, and the response is sent back by setting the Response parameter. Within this event the HOTP and TOTP components can be used to retrieve the one time code necessary for authentication. For instance:


private void sftp1_OnSSHKeyboardInteractive(object sender, SftpSSHKeyboardInteractiveEventArgs e)
{
    switch (e.Prompt.Trim())
    {
        case "Password:":
            e.Response = "secret";
            break;

        case "Verification code:":
            if (authType == TOTP)
            { 
                IPWorksAuth.Totp totp = new IPWorksAuth.Totp();
                totp.Secret = frmLogin.tbSecret.Text;
                totp.TimeStep = 30;
                totp.CreatePassword();
                e.Response = totp.Password;
            } else
            { 
                IPWorksAuth.Hotp hotp = new IPWorksAuth.Hotp();
                hotp.Secret = frmLogin.tbSecret.Text;
                hotp.Counter = 1;
                hotp.CreatePassword();
                e.Response =hotp.Password;
            }               
            break;
    }
}

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.