Using Two-Factor Authentication (2FA) with IPWorks SSH

SSH servers may be configured to require TOTP or HOTP based two-factor authentication using libraries like libpam-google-authenticator. In that case when connecting a user will be prompted to enter the one time code in addition to the standard credentials.

The IPWorks SSH SFTPClient component, when used in conjunction with IPWorks Auth OTP component, allows for two-factor authentication. Within the keyboard-interactive event of the SSH components, the OTP component from IPWorks Auth can be used to retrieve the one time code.

Authentication Settings

After creating the component instance set the SSHAuthMode property to keyboard-interactive. For instance:


// Maintain this reference.
SFTPClient sftp1 = new SFTPClient();
// Set authorization mode
sftp1.SSHAuthMode = nsoftware.IPWorksSSH.SFTPClientSSHAuthModes.amKeyboardInteractive;

Getting the One Time Code

During authentication the server will prompt the user for authentication. When this happens the SSHKeyboardInteractive event will fire. From within this event the Prompt parameter can be inspected to determine the information requested by the server, and the response is sent back by setting the Response parameter. Within this event the HOTP and TOTP algorithms can be used to retrieve the one time code necessary for authentication. For instance:


private void sftp1_OnSSHKeyboardInteractive(object sender, SFTPClientSSHKeyboardInteractiveEventArgs e)
{
    switch (e.Prompt.Trim())
    {
        case "Password:":
            e.Response = "secret";
            break;

        case "Verification code:":
            if (authType == TOTP)
            { 
                IPWorksAuth.OTP totp = new IPWorksAuth.OTP();
                totp.PasswordAlgorithm = OTPPasswordAlgorithms.paTOTP; //default
                totp.Secret = frmLogin.tbSecret.Text;
                totp.TimeStep = 30;
                totp.CreatePassword();
                e.Response = totp.Password;
            } else
            { 
                IPWorksAuth.OTP hotp = new IPWorksAuth.OTP();
                hotp.PasswordAlgorithm = OTPPasswordAlgorithms.paHOTP;
                hotp.Secret = frmLogin.tbSecret.Text;
                hotp.Counter = 1;
                hotp.CreatePassword();
                e.Response =hotp.Password;
            }               
            break;
    }
}

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.