SSH Tunneling with RSA SecurID

[RFOAP]

I don't see this in the Google group anywhere, so maybe it's not come
up ... but I would like to use an SSH host that gives me a prompt for
my RSA SecurID. I read that Sequel Pro uses OS X's ssh program, and
so I tried connecting via terminal to my SSH host, and of course was
prompted for my RSA SecurID. This request for my RSA SecurID does not
come through in Sequel Pro, as far as I can tell.

Anyone know of a solution?

[Jakob Egger]

Dear rfoap,

I have never used one of one-time-password generators, but I googled a bit. As far as as I understand, your "RSA SecurID" should take the place of your SSH password. So just enter your "RSA SecurID" into the "SSH Password" field.

(I assume that "RSA SecurID" is your pin code + the number on your little device)

Please let us know if this works for you.

Best Regards,
Jakob Egger

> --
> You received this message because you are subscribed to the Google Groups "Sequel Pro" group.
> To post to this group, send email to seque...@googlegroups.com.
> To unsubscribe from this group, send email to sequel-pro+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/sequel-pro?hl=en.
>

[Rowan Beentje]

Hi RFOAP,

I don't know anyone who has an RSA SecurID hooked up to SSH - what's the normal setup? Is there an additional prompt *after* the password prompt, or is it handled by the standard "password" prompt? If the latter, as Jakob said, you may just have to enter it in the password box, although that isn't ideal in this case.

Sequel Pro does use the OS X ssh app, and lets that app handle any public/private keys - but if the ssh app is asking for an additional password, we may not currently be handling that. If it fails, can you view the detail log (which is essentially the SSH transcript), and email it to me (anonymised as necessary)?

Depending on exactly how this happens, it may be easy to support or very hard, but I'd love to add support.

Yours,
Rowan

[RFOAP]

Jakob,

I have tried as you requested, however, I still receive the same
response. For reference, another DB clients I use (Navicat Oracle,
for example), prompts me with the "challenge" question the RSA server
requires while trying to connect via SSH. I suspect that this
"challenge" question is not being handled by Sequel Pro and thereby
not being presented to the user. I could, of course, be completely
wrong regarding how this "challenge" question is handled. I do know
that in all other instances, I supply a username only (no password)
and the app I'm using (being it Navicat, Transmit, etc) prompts me
with the RSA "challenge" question, in this case my pin + RSA SecurID
code.

[RFOAP]

Rowan,

Utilizing the default password field for the RSA SecurID (pin + code)
does not work. You are very correct in asking about a prompt *after*
the password prompt. In these situations, no password is entered
while connecting ... rather, the SSH host "challenges" me with a
prompt requesting my RSA SecurID (pin + code).

My initial guess was that Sequel Pro is not handling these prompts,
but I wanted to hear from the group before making this assumption. I
am currently not at a computer that I can get the SSH transcript, but
I will post it in a few hours. As you mentioned, it could be easy or
hard ... but I am hoping for the former! Thanks for your help, I'll
have more in a few hours.

Ryan

[Rowan Beentje]

We do actually already have support for asking the user questions and capturing their answers, back from when we were handling public/private key challenges ourselves. The only question is whether Sequel Pro is asked the question and it's currently just not picked up, or whether it's passed to the SSH_AGENT/SSH_AUTH_SOCK handlers (which we'd probably want to leave to the user setting, and so would be a right pain).

I suspect, and hope, the former - but we'll see. Look forward to the transcript!

--Rowan

[RFOAP]

Rowan,

Here is the SSH transcript:

OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /Users/xxxxx/.ssh/identity type -1
debug1: identity file /Users/xxxxx/.ssh/id_rsa type -1
debug1: identity file /Users/xxxxx/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key.
debug1: Found key in /Users/xxxxx/.ssh/known_hosts:17
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-
mic,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/xxxxx/.ssh/identity
debug1: Trying private key: /Users/xxxxx/.ssh/id_rsa
debug1: Trying private key: /Users/xxxxx/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: permanently_drop_suid: 503
debug1: Authentications that can continue: publickey,gssapi-with-
mic,keyboard-interactive
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: permanently_drop_suid: 503
debug1: Authentications that can continue: publickey,gssapi-with-
mic,keyboard-interactive
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: permanently_drop_suid: 503
debug1: Authentications that can continue: publickey,gssapi-with-
mic,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,keyboard-interactive).

I don't know well enough to say what is happening, so I hope you (or
the group) is able to decipher this log. Let me know if I need to
test anything, and thanks again for your help!

Ryan

[Rowan Beentje]

Hmm. Nothing jumps out as being enormously helpful to me - I'm going to take this off-list for a while, but will update the list on progress later.

[Jakob Egger]

Dear RFOAP, dear Rowan,

I think I know what the problem is:

SequelProTunnelAssistant, the utility we use to present questions from SSH to the user, only looks for specific prompts. We look for yes/no questions (necessary when first connecting to a server), we accept questions which contain something like "password:", and we accept requests for passphrases for keys (actually no longer necessary, since MacOS handles that now).
We don't accept arbitrary questions. My guess is that the prompt you get doesn't contain the word password, but is rather something along the lines of "Please enter Secure ID:"

I believe I know how to fix this: we'll just have to accept arbitrary questions. I'll look into it this afternoon.

Best Regards,

Jakob Egger

On Mar 16, 2010, at 6:20 PM, RFOAP wrote:

> Rowan,
>
> Here is the SSH transcript:
>

> <snip>

[Jakob E]

For everyone else who might be following the discussion, Build 1960
now correctly ask for the RSA-SecurID.