Can't scp any files over. No prompt happens.

I sshed to my test server with public key, of course Authy installed. But it still prompted my to input Authy token. Public key authentication is more secure at least than password, right? So, maybe Authy should consider this, token required when user login via password, pass through when using public key. This is more convenient, IMHO.

The following is patched by me, if you test it in the run() function, then it can achieve what I said above. But there are still two problem to be solved. First, determine where is SSH_LOGFILE. If ssh was configured by SyslogFacility AUTH, then the file will be /var/log/auth.log. Second, the permission to read SSH_LOGFILE. Maybe we have to give user high permission...

The approach used to determining if user logged in via password or public key just works, not that perfect. Discussion welcome.

function ssh_via_publickey() {
    SSH_LOGFILE=/var/log/messages
    if [[ $SSH_CLIENT ]]
    then
        local info=($SSH_CLIENT)
        local ip=${info[0]}
        local port=${info[1]}
        local user=`whoami`

        # line matched looks like:
        # Aug 30 16:25:33 slackware sshd[1949]: Accepted publickey for USER from A.B.C.D port PORT ssh2
        tail $SSH_LOGFILE | grep "publickey .* $user .* $ip .* $port"
        if [[ $? -eq 0 ]]
        then
            return 0
        fi
    fi
}

Will OneTouch be supported in authy-ssh ?

If you do ssh -L 4000:google.com:80 user@remotehost -i key.pem you get prompted for the authy key but can access google.com on localhost:4000 before entering it.

Seems like an issue?

I ssh into my webserver pretty often and I have authy set up on it. However it is kind of annoying to have to continually input the key when I log out and back in for whatever reason. Is there a way that the script can be upgraded to only ask for a key when the user is unknown, or after they have been logged out for more than a few hours.

I love having two-factor, but I don't want to always have to input the key when I am the only (registered) user connecting.

Since installing authy-ssh, I've noticed that the normal Ubuntu banner (which displays how many updates might be pending, and whether a reboot is necessary) no longer shows on logon. Why would authy-ssh prevent from this displaying, and is there a way to unwind this or display both authy-ssh's banner, and the original Ubuntu one?

We are trying to add multiple users under a single account on our systems. This way we can remove a user from the team via the Authy portal, however when I add two users neither one seems to be able to authenticate when I run authy-ssh test

[root@lbtest ~]# sudo /usr/local/bin/authy-ssh test
Authy Token (type 'sms' to request a SMS token): 3959280
Invalid token. try again
Authy Token (type 'sms' to request a SMS token): 3838127
Invalid token. try again
Authy Token (type 'sms' to request a SMS token): 4858444
Invalid token. try again

Am I doing something stupid here?

as is known, not all the bashes are in /bin

As written, the reference to raw.github.com doesn't work any longer due to github changes. Either the URL needs to be changed to https://raw.githubusercontent.com/authy/authy-ssh/master/authy-ssh or the command line switch "-L" needs to be added to the curl statement so that curl will redirect to the newer location automatically.

I tried installing revision 36e726 as my regular unprivileged user and got this error:

$ ./authy-ssh install ~/.authy-ssh/
root permissions are required to run this command. try again using sudo

I shouldn't need root permissions to install something in my home directory, but I'll humor the installer:

$ sudo ./authy-ssh install ~/.authy-ssh
/Users/doug/.authy-ssh/authy-ssh is not writable. Try again using sudo

That's... odd.

In a fit of frustration I tried sudo bash -x ./authy-ssh install ~/.authy-ssh and got this output:

+ VERSION=1.2
+ AUTHY_URL=https://api.authy.com
++ dirname ./authy-ssh
+ APP_ROOT=.
+ CONFIG_FILE=./authy-ssh.conf
+ UPSTREAM_URL=https://raw.github.com/authy/authy-ssh/master/authy-ssh
+ READ_TIMEOUT=60
+ OK=0
+ FAIL=1
+ export TERM=xterm-256color
+ TERM=xterm-256color
++ tput sgr0
+ NORMAL=''
++ tput setaf 2
++ tput bold
+ GREEN=''
++ tput setaf 3
+ YELLOW=''
++ tput setaf 1
+ RED=''
+ require_curl
+ which curl
+ '[' 0 -eq 0 ']'
+ return 0
++ dirname ./authy-ssh
+ cd .
++ basename ./authy-ssh
+ COMMAND=/Users/doug/tmp/authy-ssh/authy-ssh
+ cd -
+ case $1 in
+ require_root
+ debug 'Checking if user is root'
+ [[ -n '' ]]
+ find_sshd_config
+ debug 'Trying to find sshd_config file'
+ [[ -n '' ]]
+ [[ -f /etc/sshd_config ]]
+ SSHD_CONFIG=/etc/sshd_config
+ [[ ! -w /etc/sshd_config ]]
+ install_authy ./authy-ssh /Users/doug/.authy-ssh
+ source=./authy-ssh
+ dest=/Users/doug/.authy-ssh/authy-ssh
+ [[ ! -n /Users/doug/.authy-ssh ]]
+ config_file=/Users/doug/.authy-ssh/authy-ssh.conf
++ dirname /Users/doug/.authy-ssh/authy-ssh
+ [[ ! -r /Users/doug/.authy-ssh ]]
+ red '/Users/doug/.authy-ssh/authy-ssh is not writable. Try again using sudo'
+ echo -e '/Users/doug/.authy-ssh/authy-ssh is not writable. Try again using sudo'
/Users/doug/.authy-ssh/authy-ssh is not writable. Try again using sudo
+ return 1

It seems like the required mkdir was skipped... or perhaps I did something wrong. Any ideas?

Thanks,

-- Doug

Hello,

After have installed authy-ssh on a EC2 ubuntu instance it's become possible to login with root user directly.

The commande "no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user "ubuntu" rather than the user "root"" of the authorized_keys file is no more considerer.

thanks in advance

Bertrand

Please add support for FreeBSD!

There are several security issues with this implementation of token checking (#40 or #30).
Are there any plans to implement a pam module like google authenticator? I believe it is a more standard and less error prone way of implementing the authentication checking.

My Debian server is suddenly denying access.
Running on the server is Fail2Ban and UFW (iptables) security. SSH is working fine, integration with Authy fails. The following message appears after sending the token to the SSH server:

Error running curl
Invalid token. try again

After uninstallation of Authy, the connections run fine again.
This happens on multiple servers at the same time.

Client token generation is still ok, I can login to Evernote using the same account and device. Must be some SSH/Debian/Security/Networking issue.

I'm trying to set this thing up on a DigitalOcean VPS, it installs and it creates the user, but when I try to authy-ssh test I get the following:

Cannot find authy id for root in /usr/local/bin/authy-ssh.conf
You have to enable it using 'authy-ssh enable'

And I checked the file and it is indeed empty, the user is not added there, only the API key, banner and default action is there.

UPDATE I actually manually created a user in the Authy dashboard and added the user myself in the config file. Now it seems to be working :)

Cannot get it to prompt for code after install. Got it to install just fine and enable a user. When logging in via SSH i get to the password and after entering a password the window just closes.

authy-ssh test:

/usr/local/bin/authy-ssh: line 554: seq: command not found

FreeBSD 8.3 - PFSense

I got google-auth to work just fine.

Got it to work after modifying the install script

Deleting users from the App doesn't delete it from the Unix system, so when the user log in Unix keep asking him for the token and finally denied access.

It should be adding another validation so when the user (authy_id) doesn't exist then don't ask for the token.

The return message for that case is:

{"success":"false","message":"User doesn't exist.","errors":{"message":"User doesn't exist."}}

local-machine> ssh admin@devops
/home/admin/.authy-ssh/authy-ssh: line 55: cannot create temp file for here-document: No space left on device
/home/admin/.authy-ssh/authy-ssh: line 59: cannot create temp file for here-document: No space left on device
admin@devops:~$

When I would otherwise receive a prompt for 2FA from authy, I was able to login because the disk on the host machine was full.

Whenever I try and add new public keys using ssh-copy-idfor new remote clients to a server that uses authy-ssh, it will give me three immediately failed attempts to enter the authy generated token into the terminal, without giving me the possibility to check authy for a code and entering it. Is there a better way to send keys to an authy-hardened ssh server, do I need to disable authy temporarily, or are there some other options I should be using I'm not aware of?

I am using Bitvise to access my ssh. But when I open sftp, it can't open. Any suggest?

Hi there,

When trying to enable users using the following command, I'm getting an "Unknown response" error message:
$ sudo /usr/local/bin/authy-ssh enablewhoami <your-email> <your-country-code> <your-cellphone>

I have also tried the manual way.

OS Version: CentOS 6.7 x64 and 6.9 x64

FSF approved licenses: https://gnu.org/licenses/license-list.html#SoftwareLicenses
OSI approved licenses: http://opensource.org/licenses/alphabetical

I was using authy-ssh on a gateway server in AWS, to talk to other machines that weren't accessible from the public internet, before I found out about #30. Allowing port forwarding without the second factor in my use case was the same as having no 2-fac auth at all. That's a pretty big deal, and if it can't be fixed, I'm surprised it's not documented in the README.

#40 might also be a big deal for a lot of use cases.

Very interesting project!

Have a security question, have you had the "Shellslocker" in mind, or maybe this bug is already solved (don't know). Even with a patch, there are still a lot of servers out there without the patch and still with this vulnerability. Maybe a quick solution would be to patch the bug with the installation script.

• https://github.com/mubix/shellshocker-pocs

Still, wonderful project!

How about a feature to block an ip when ever it have entered too many incorrect tokens?

Hello!
I really like this script but would like to get a log of the login attempts so that I can forward this to fail2ban.

Would that be possible?

Where exactly is the API key?
I only see Account SID and Auth Token.

Authy-SSH doesn't seem to support SFTP yet. It would be nice if it didn't require two-factor auth for sftp connections until Authy supports this.

Right now I'm getting:

dan@galaxy ~> sftp api
Received message too long 1098216552

When my Twilio account trial period ended all SSH logins started failing with this misleading error:

Invalid token. try again

Its not helped by the lack of information on the Authy Dashboard regarding the linked Twilio account.