The problem is when a target server has 2fa optionally enabled (for example like so: https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04), as even when a user (such as the one used by warpgate) does not have otp configured the sshd will still force a keyboard-interactive auth via the ChallengeResponseAuthentication setting required for 2fa. Targets that actually require totp or a different 2nd factor are explicitly part of this report, as those are expected to fail as warpgate cant actually offer the 2nd factor.

In the example below I directly connected to the target using my own key, and not warpgate. This shows the sshd offering keyboard-interactive with will not actually prompt anything and instantly succeed:

debug1: Offering public key: /home/user/.ssh/id_ed25519 ED25519 SHA256:MYKEY explicit agent
debug1: Server accepts key: /home/user/.ssh/id_ed25519 ED25519 SHA256:MYKEY explicit agent
Authenticated using "publickey" with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Authenticated to with-optional-otp.my.net ([10.69.224.135]:22) using "keyboard-interactive".
debug1: channel 0: new session [client-session] (inactive timeout: 0)

Compared to a target that does not have otp optionally configured at all:

debug1: Offering public key: /home/user/.ssh/id_ed25519 ED25519 SHA256:MYKEY agent
debug1: Server accepts key: /home/user/.ssh/id_ed25519 ED25519 SHA256:MYKEY agent
Authenticated to without-optional-otp.my.net ([10.69.218.146]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)

@Eugeny would it be possible to implement something in the SSH client to just silently accept this (maybe with a 1 or 2 second timeout)? This way warpgate and OTP can be used side by side in different users on a target.

Originally posted by @samtoxie in #20 (comment)