Home / ubuntu / Questions / 1531248
Accepted
trolley
Asked: 2024-10-27 05:13:33 +0800 CST

SCP tab completion doen't work when two-factor auth is enabled for SSH

  • 772

I followed https://ubuntu.com/tutorials/configure-ssh-2fa to set up 2FA protection on SSH on my Ubuntu 22.04.5 system. I have only key-based authentication enabled, so this may be excessive, but it feels more secure that even if somehow my private key got loose it wouldn't be enough in its own.

I don't want to have to put in a TOTP code when connecting from a system on my LAN so my /etc/pam.d/sshd has this:

auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so

/etc/security/access-local.conf has:

+ : ALL : 192.168.1.0/24
+ : ALL : LOCAL
- : ALL : ALL

This all works fine. I get prompted for a TOTP code when I'm outside of my LAN and not when on it.

My problem now is that tab-completion with scp no longer works. For example, on another system I try:

$ scp server:someth<TAB>

and something should autocomplete, assuming that file exists. This works fine when I don't have the PAM module enabled, but doesn't work when it is. Even in the case when I'm on my LAN and don't get prompted for the TOTP code it fails. When I press TAB I get messages like this in the server's /var/log/auth.log:

Oct 26 17:08:13 server sshd[1136620]: Connection closed by authenticating user user 192.168.1.182 port 53145 [preauth]
Oct 26 17:08:13 server sshd[1136732]: Connection closed by authenticating user user 192.168.1.182 port 53146 [preauth]

The messages always appear in pairs like this for each press of TAB.

Does anyone have any idea what, if anything, I can do to make this work?

pam

2 Answers

  1. For tab completion to work, ssh has to work without requiring interactive authentication.

    There are two ways to do this. The common way is to use an ssh key created with ssh-keygen and the public portion copied (with ssh-copy-id) to the authorized_keys file in your remote ssh configuration. Likely this can't work without bypassing or disabling 2fa and would defeat your goals.

    The other way is to use a shared ssh connection enabled with the ControlMaster option and tweaked with several other options. This effectively has you log in once with ssh, and all subsequent ssh connections use the original connection without needing reauthentication. All connections will be broken when the first ("master") connection is closed. Alternately, you can set a timeout with ControlPersist to limit how long the background connection stays open after the first has closed and the remaining connections are idle. (Or manually force it closed at any time...)

    Note, however, that with the ControlMaster option, all ssh connections are multiplexed through a single tcp socket, and share that bandwidth. So if you are otherwise relying on multiple tcp sockets to get greater bandwidth, you will need to bypass the master connection for those streams.

    • 1
  2. Best Answer

    @user10489's answer led me to the solution. My sshd_config had AuthenticationMethods publickey,keyboard-interactive and removing keyboard-interactive solved the problem, but also caused the PAM module to no longer be invoked to ask for the TOTP code.

    I modified it like this and had to move it to the bottom of my sshd_config, and now I don't get prompted for TOTP on my LAN but do off-LAN, and tab-completion works when on my LAN at least, which is really all I wanted:

    AuthenticationMethods publickey,keyboard-interactive

Match Address 192.168.1.*
    AuthenticationMethods publickey
    • 0