SSH with 2FA in Python Using Paramiko

Question

I'm trying to write a Python 3 script that will connect to a remote server via ssh and run a command, using the paramiko module.

The remote server uses Duo 2 factor authentication and prompts you to select an authentication mode when connecting using ssh:

$ ssh myuser@remoteserver.com
Duo two-factor login for myuser

Enter a passcode or select one of the following options:

 1. Duo Push to +XXX XX-XXX-1111
 2. Phone call to +XXX XX-XXX-1111
 3. SMS passcodes to +XXX XX-XXX-1111

Passcode or option (1-3): 1
Success. Logging you in...

When I use ssh in the terminal, I just press 1 and then Enter, get the push to my phone where I aprove the connection, and then I'm logged in.

I have not been able to do that in Python unfortunately. Here's the code I tried using:

import paramiko

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

ssh.connect('remoteserver.com', port=22, username='myuser', password='mypassword')
stdin, stdout, stderr = ssh.exec_command('ls -l')
output = stdout.readlines()
print(output)

If I try the same code on a remote server without 2FA, it works as expected but with this server, I get an authenticatino error:

paramiko.ssh_exception.AuthenticationException: Authentication failed.

Any help would be greatly appreciated.

Answer 1

Having just finally solved this problem myself in one of my projects going to leave the code I used which allowed for this work.

The main takeaway is that paramiko does allow for this to be done in the transport and prompts list and in my case i was missing the publickey method in my two_factor_types

def _auth(self, username, password, pkey, *args):
    self.password = password
    saved_exception = None
    two_factor = False
    allowed_types = set()
    two_factor_types = {'keyboard-interactive', 'password', 'publickey'}

References:
Paramiko/Python: Keyboard interactive authentication
https://github.com/paramiko/paramiko/pull/467
https://github.com/paramiko/paramiko/pull/467/commits/dae916f7bd6723cee95891778baff51ef45532ee
http://docs.paramiko.org/en/stable/api/transport.html

I would recommend trying something along the lines of auth_interactive_dumb

auth_interactive_dumb(username, handler=None, submethods='')

Authenticate to the server interactively but dumber. Just print the prompt and / or instructions to stdout and send back the response. This is good for situations where partial auth is achieved by key and then the user has to enter a 2fac token.

---

For more full example see excerpt and link below

Full SSH CLient Class for reference :

class SSHClient(paramiko.SSHClient):
    duo_auth = False

    def handler(self, title, instructions, prompt_list):
        answers = []
        global duo_auth

        if title.startswith('Duo two-factor login'):
            duo_auth = True
            raise SSHException("Expecting one field only.")

        for prompt_, _ in prompt_list:
            prompt = prompt_.strip().lower()
            if prompt.startswith('password'):
                answers.append(self.password)
            elif prompt.startswith('verification'):
                answers.append(self.totp)
            elif prompt.startswith('passcode'):
                answers.append(self.totp)
            else:
                raise ValueError('Unknown prompt: {}'.format(prompt_))
        return answers

    def auth_interactive(self, username, handler):
        if not self.totp:
            raise ValueError('Need a verification code for 2fa.')
        self._transport.auth_interactive(username, handler)

    def _auth(self, username, password, pkey, *args):
        self.password = password
        saved_exception = None
        two_factor = False
        allowed_types = set()
        two_factor_types = {'keyboard-interactive', 'password', 'publickey'}

        agent = paramiko.Agent()
        try:
            agent_keys = agent.get_keys()
            # if len(agent_keys) == 0:
            # return
        except:
            pass

        for key in agent_keys:
            logging.info("Trying ssh-agent key %s" % hexlify(key.get_fingerprint()))
            try:
                self._transport.auth_publickey(username, key)
                logging.info("... success!")
                return
            except paramiko.SSHException as e:
                logging.info("... nope.")
                saved_exception = e

        if pkey is not None:
            logging.info('Trying publickey authentication')
            try:
                allowed_types = set(
                    self._transport.auth_publickey(username, pkey)
                )
                two_factor = allowed_types & two_factor_types
                if not two_factor:
                    return
            except paramiko.SSHException as e:
                saved_exception = e

        if duo_auth or two_factor:
            logging.info('Trying 2fa interactive auth')
            return self.auth_interactive(username, self.handler)

        if password is not None:
            logging.info('Trying password authentication')
            try:
                self._transport.auth_password(username, password)
                return
            except paramiko.SSHException as e:
                saved_exception = e
                allowed_types = set(getattr(e, 'allowed_types', []))
                two_factor = allowed_types & two_factor_types

        assert saved_exception is not None
        raise saved_exception