Ssh – Work around two-factor SSH auth with Master connection and port forwarding

sshssh-tunneling

The problem 1.0

I'm working on a server that only supports two-factor auth (keypair auth is disabled). So every time my SFTP client wants to upload a file, it asks me for a token… after 3 minutes that becomes a not_very_nice UX.

The solution 1.0

So I learned about SSH multiplexing and now I can open one master connection manually (from the terminal), and all other ssh connections can be multiplexed on top, like so:

$ ssh example_com_master
Verification code: (/me enters the token code)
Password: (/me enters my pass)
Welcome to Ubuntu 14.04 blah blah....
Last login: Wed Oct  1 11:24:15 2014 from 12.34.56.78
$

Then, from another terminal, or by another piece of software:

$ ssh my.example.com
Last login: Wed Oct  1 16:34:45 2014 from 12.34.56.78
$

So, mission accomplished, no more entering 2FA token. And no password, for that matter, SSH FTW!

~/.ssh/config:

Host example_com_master
  HostName my.example.com
  User username
  PubkeyAuthentication no
  ControlMaster yes
  ControlPath ~/.ssh/sockets/example_com
  ControlPersist 10

Host my.example.com
  HostName my.example.com
  User username
  PubkeyAuthentication no
  ControlMaster no
  ControlPath ~/.ssh/sockets/example_com

Problem 2.0 (TLDR)

Some software (e.g. PyCharm IDE) use their own SSH library / binary / whatever!
Meaning that nothing I type in ~/.ssh/config will affect it, AFAIK.

That's my current problem: is there a way to "trick" such software into using an already existing master connection?

An idea: because you can usually configure software to use a different port to connect to, I was wondering if it might be possible to set up some kind of tunneling that will multiplex incoming connections onto existing master. But my foo has failed me…

edit:

Main purpose is to connect to remote Python interpreter/debugger.

edit 2:

All the ports are closed other then 22 and 80. It is, however, possible to do:

remote$ ssh localhost:2222
(password or securekey login, both work)
remote$

but 2222 in only open for connections from localhost, and admins won't open any additional ports, saying "anyone could use it".

Best Answer

Quite an interesting problem you've got.

The real solution would be to ask your sysadmin for help first.

If that's not an option, the next best thing is to have pyCharm's libssh or whatever it uses (I did some googling and couldn't figure it out) parse your `~/.ssh/config'.

If that's not possible, you might be able to run your own ssh daemon on the remote host listening on the loopback address and connect to it with a local forward.

To setup an unprivileged ssh daemon (copied from a link on the SF answer): 

  $ pwd
  /home/<USER>
  $ mkdir -p etc var/run
  $ cp /etc/sshd_config etc
  $ vi etc/sshd_config
  [Set `Port 2230']
  [Set `HostKey /home/<USER>/etc/ssh_host_rsa_key']
  [Set `UsePrivilegeSeparation no']
  [Set `PidFile /home/<USER>/var/run/sshd.pid']
  [:wq!]
  $ ssh-keygen -t rsa -f /home/<USER>/etc/ssh_host_rsa_key -N ''
  Generating public/private rsa key pair.
  Your identification has been saved in /home/<USER>/etc/ssh_host_rsa_key.
  Your public key has been saved in /home/<USER>/etc/ssh_host_rsa_key.pub.
  The key fingerprint is:
  02:5d:02:5d:e8:2e:c6:b9:4c:d9:93:6c:13:ef:5d:61 hein@vmbert2k8
  $ /usr/sbin/sshd -f /home/<USER>/etc/sshd_config -D

Now forward a local port to it (you will be logging in with 2fa here):

 ssh -L 2230:localhost:2230 example_com_master

And direct pyCharm to localhost:2230. You can also setup keypair auth on your custom sshd.

Note that this is a long shot, and your sysadmin may not appreciate it.

There's a big chance that pyCharm already uses OpenSSH for its ssh implementation. If that's so, adding multiplexing support to pyCharm would be way easier than the workaround I've proposed.

Related Question