Multi-Factor Authentication

[mohammed90]

The x/crypto/ssh library has recently added support for MFA (see golang/go#61447 and CL 516355). Supporting MFA requires a refactor of the current authentication implementation, so retrofitting might be tricky.

Brainstorming is welcome.

[armadi1809]

Picking your brain on this to get the discussion started. Eventually, would we want the config to be able to look something like

{
  "apps": {
    "ssh": {
      "grace_period": "2s",
      "servers": {
        "srv0": {
          "address": "tcp/0.0.0.0:2000-2012",
          "pty": {
            "pty": "allow"
          },
          "configs": [
            {
              "config": {
                "loader": "provided",
                "no_client_auth": false,
                "authentication": {
                  "username_password": {
                    "providers": {
                      "static": {
                        "accounts": [
                          {
                            "name": "user1",
                            "password": "user1Pass"
                          }
                        ]
                      }
                    }
                  }, 
                  {
                    "mfa": [ {
                      "username_password": {
                        "providers": {
                          "static": {
                            "accounts": [
                              {
                                "name": "user2",
                                "password": "user2pass"
                              }
                            ]
                          }
                        }
                      }, 
                      "public_key": {
                        "providers": {
                          "os": {}
                        }
                      }
                    }]
                  }
                }
              }
            }
          ]
        }
      }
    }
  }
}

?
Essentially, We are saying in this case that user2 would require mfa with username_password followed by public_key to authenticate while still allowing user1 to authenticate with just the password. Is that overall direction here seems fine? If so, we can essentially use that mfa list to set up the new PartialSuccessError on the callbacks. so the order on that list would be the order of our auth flows.

[mohammed90]

Is that overall direction here seems fine?

Not really. MFA shouldn't be a separate configuration nor is it a different authentication provider. It's a multi-step authentication. I recommend you should first run the server, experiment with its config, the structure, and how the code loads and matches the respective authentication provider. Don't worry about changing the config structure as long as the final structure makes sense and is future-proof.

Ideally, the second factor is a TOTP. Check the TOTP PR for a sense of how TOTP is set up, what it requires, and think of how it could be retrofitted for MFA.