support keyboard-interactive auth to connect bastion

[takaishi]

Please search the existing issues for relevant feature requests, and use the
reaction feature
(https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/)
to add upvotes to pre-existing requests.

Feature Description

Support KeyboardInteractive auth (e.g. OAuth by google) to connect bastion.
When we connect to bastion, required publickey and keyboard-interactive, packer can't connect now. Becasuse, sshBastionConfig support KeyboardInteractive password only.

Use Case(s)

Bastion's /etc/sshd/sshd_config has following config:

AuthenticationMethods publickey,keyboard-interactive
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication yes
UsePAM yes

and bastion's /etc/pam.d/sshd has following config:

auth    required google-web-oauth.so

google-web-oauth.so is oauth pam module using google (pyama86/google-web-oauth).

For example, Packer that is built #8847 run with PACKER_LOG=1.
If we need to input oauth token, packer display URL and wait to read token.

2020/03/09 11:57:44 packer-builder-openstack plugin: Waiting for state to become: [ACTIVE] currently BUILD (0%)
2020/03/09 11:57:46 packer-builder-openstack plugin: [INFO] Not using winrm communicator, skipping get password...
    openstack: Floating IP not required
2020/03/09 11:57:46 packer-builder-openstack plugin: [DEBUG] Detected address: 10.51.105.137
2020/03/09 11:57:46 packer-builder-openstack plugin: [DEBUG] Using IP address 10.51.105.137 to connect
==> openstack: Using ssh communicator to connect: 10.51.105.137
2020/03/09 11:57:46 packer-builder-openstack plugin: [INFO] Waiting for SSH, up to timeout: 5m0s
==> openstack: Waiting for SSH to become available...
2020/03/09 11:57:46 packer-builder-openstack plugin: [DEBUG] Detected address: 10.51.105.137
2020/03/09 11:57:46 packer-builder-openstack plugin: [DEBUG] Using IP address 10.51.105.137 to connect
2020/03/09 11:57:46 packer-builder-openstack plugin: [INFO] -- User:
2020/03/09 11:57:46 packer-builder-openstack plugin: [INFO] -- Instructions:
2020/03/09 11:57:46 packer-builder-openstack plugin: [INFO] -- Question 1: Go to the following link in your browser then type the authorization code:
2020/03/09 11:57:46 packer-builder-openstack plugin:
2020/03/09 11:57:46 packer-builder-openstack plugin: https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=356614092899-dlp7eg11cdf41jge6061ncgvepq81dpe.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=profile&state=state-token
2020/03/09 11:57:46 packer-builder-openstack plugin:
2020/03/09 11:57:46 packer-builder-openstack plugin: Please type code:
2020/03/09 11:58:02 packer-builder-openstack plugin: [INFO] Attempting SSH connection to 10.51.105.137:22...
2020/03/09 11:58:02 packer-builder-openstack plugin: [DEBUG] reconnecting to TCP connection for SSH
2020/03/09 11:58:04 packer-builder-openstack plugin: [DEBUG] handshaking with SSH
2020/03/09 11:58:04 packer-builder-openstack plugin: [DEBUG] handshake complete!
2020/03/09 11:58:04 packer-builder-openstack plugin: [DEBUG] Opening new ssh session
2020/03/09 11:58:05 packer-builder-openstack plugin: [INFO] agent forwarding enabled
==> openstack: Connected to SSH!

If we don't need to input oauth token, packer skip display URL and wait to read token.

2020/03/09 12:01:31 packer-builder-openstack plugin: Waiting for state to become: [ACTIVE] currently BUILD (0%)
2020/03/09 12:01:34 packer-builder-openstack plugin: [INFO] Not using winrm communicator, skipping get password...
    openstack: Floating IP not required
2020/03/09 12:01:34 packer-builder-openstack plugin: [DEBUG] Detected address: 10.51.105.137
2020/03/09 12:01:34 packer-builder-openstack plugin: [DEBUG] Using IP address 10.51.105.137 to connect
==> openstack: Using ssh communicator to connect: 10.51.105.137
2020/03/09 12:01:34 packer-builder-openstack plugin: [INFO] Waiting for SSH, up to timeout: 5m0s
==> openstack: Waiting for SSH to become available...
2020/03/09 12:01:34 packer-builder-openstack plugin: [DEBUG] Detected address: 10.51.105.137
2020/03/09 12:01:34 packer-builder-openstack plugin: [DEBUG] Using IP address 10.51.105.137 to connect
2020/03/09 12:01:39 packer-builder-openstack plugin: [DEBUG] TCP connection to SSH ip/port failed: ssh: rejected: connect failed (No route to host)
2020/03/09 12:01:44 packer-builder-openstack plugin: [DEBUG] Detected address: 10.51.105.137
2020/03/09 12:01:44 packer-builder-openstack plugin: [DEBUG] Using IP address 10.51.105.137 to connect
2020/03/09 12:01:46 packer-builder-openstack plugin: [INFO] Attempting SSH connection to 10.51.105.137:22...
2020/03/09 12:01:46 packer-builder-openstack plugin: [DEBUG] reconnecting to TCP connection for SSH
2020/03/09 12:01:47 packer-builder-openstack plugin: [DEBUG] handshaking with SSH
2020/03/09 12:01:47 packer-builder-openstack plugin: [DEBUG] handshake complete!
2020/03/09 12:01:47 packer-builder-openstack plugin: [DEBUG] Opening new ssh session
2020/03/09 12:01:48 packer-builder-openstack plugin: [INFO] agent forwarding enabled
==> openstack: Connected to SSH!

[SwampDragons]

I'm okay with supporting this as long as it's set up in a way that you have to explicitly enable it so that Packer doesn't hang waiting for interactive auth if other auth methods fail. Otherwise I think this will wreak havoc in people's ci pipelines.

I haven't tested it but I suspect this means we'd have to put this behind some kind of feature flag option like "bastion_interactive_auth": true

[takaishi]

@SwampDragons Thank you comment! I agree to add feature flag, I pushed commit (34bb042).

[takaishi]

I close this issue because PR #8847 merged.

[azr]

Thanks @takaishi ! 🙂

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.