SSH Tunnel – Save Settings with Multi-Factor Authentication in PuTTY or mRemoteNG

puttysshssh-tunnel

Our company manages hundreds of Linux servers which would be nice to keep organized in a tool like mRemoteNG.

The problem is, all our servers are inside a private network that can only be connected through a gateway server. We use SSH tunneling for this.

There are a few tools out there that offer saving a tunnel profile before connecting to a server, but our gateway server has a two-factor authentication check (SSH keyboard-interactive authentication) which most tools seem to get blocked by.

Is there a way to set up PuTTY or any other tool to recognize the 2-FA on the tunnel so I can confirm the verification code before moving on?

I know this is possible because WinSCP does it on its SSH File Transfer Protocol (SFTP) connections:

WinSCP authentication process

Best Answer

I can see three options (with PuTTY).

Two profiles

A (probably obvious) simple solution (while not so user friendly) is to create two profiles in PuTTY.

  1. Tunnel profile, which opens a connection to the intermediate servers and forwards a local port to the target server.
  2. Profile that connects to the forwarded port.

Use WinSCP

As you are already using WinSCP, you can use it as a connection manager for PuTTY.

Once you are connected to the target server with WinSCP (which forwards the port behind the scenes), just use "Open in PuTTY" command to open PuTTY connection to the target server via the tunnel opened by WinSCP.

(for tunneled connections, you unfortunately cannot use "Open in PuTTY" straight off the Login dialog)

Local proxy command with GUI authentication

In PuTTY, you can create a profile with tunneling using "local proxy command". In that command, you can use plink tool (from PuTTY package) to create a tunnel using -nc switch.

Normally the proxy command cannot have any UI (as it's a hidden console application), so public key authentication (that has no prompts) is needed. But as it's quite often, that you need some GUI for the authentication, there are clones of Plink that do the authentication with GUI. Those are commonly used with versioning software (like Git, SVN, CVS), which internally use those Plink clones as an SSH transport.

For example, you can take TortoisePlink.exe from TortoiseSVN project, to can create a proxy command like:

C:\\path\\TortoisePlink.exe %user@%proxyhost -nc %host:%port

(note the double backslashes in the path)

enter image description here

The above will grant you an experience like this:

enter image description here

Related Question