Access to SSH Servers via Luminate Secure Access Cloud (TM) with Keyboard Interactive Authentication
Luminate Secure Access Cloud (TM) provides Zero Trust access to Unix, Windows and additional servers using SSH protocol. The procedure for configuring SSH access is described here, and involves creating a trust between Luminate and the server by deploying a public CA certificate, as described here.
When accessing SSH servers using above methods, the authentication process is managed automatically by Luminate Secure Access Cloud (TM) and eliminates the need for either remembering (and managing) passwords or managing SSH keys.
In some cases there might be a requirement to allow interactive authentication with the target server, either in addition to "transparent" public keys authentication or as a replacement. Following sample use-cases may require it:
SSH server does not support public key authentication or doesn't allow modifying its configuration to enable this functionality
For some reason the users prefer using interactive passwords or tokens, rather than relying on PKI service provided by Luminate Secure Access Cloud (TM)
Schematically, connection to SSH servers with Keyboard Interactive authentication work the following way:
1. The SSH Client connects to Luminate, authenticating either via One-Time Token or Luminate SSH Key
2. Luminate attempts to connect to the SSH Server on behalf of the connecting user
3. The server either doesn't allow authentication using ephemeral key issued by Luminate PKI or returns a "partial" authentication response, requiring an additional interactive factor
4. Partial authentication prompt is returned to the SSH Client (since the authentication to Luminate has succeeded, but the authentication to the server has not)
5. The SSH Client provides Luminate with the input for the interactive authentication (password, token or anything else)
6. Luminate provides the user's input to the SSH Server for interactive authentication. This input gets evaluated and the authentication either succeeds or fails.
Configuration details for connecting to SSH Servers using passwords
In order to allow connecting to the SSH Servers with via Luminate Secure Access Cloud (TM) using password, that gets validated locally at the server, following settings should be defined in the sshd_config file on the server: