Add support for 2FA OTP prompts from libpam-google-authenticator
Added support for the libpam-google-authenticator
module's default prompt. This module can be used on SSH servers to provide two-factor authentication without a hardware module. Example configuration & usage
The current ksshaskpass
behaviour when logging in to a server with this module configured is to log a failed prompt match warning to the console, and pop up a password entry box with a "save to wallet" checkbox, which is not desired for single use 2FA codes.
This PR adds a match for the default Verification code:
prompt, thus preventing the warning, and uses a QInputDialog to allow cleartext entry of the OTP token without an option to save to the wallet.
Note that I have not included a begin line (^
) character in the prompt regex, to support cases where the openssh
client is configured to prefix PAM authentication prompts from a remote server with connection identification, in the format (username@server) Prompt:
. This can be seen in the above image.
Let me know if there is any issue with this implementation, I am happy to improve it.