Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,611 questions
Using ssh with Entra ID Oauth2 can we reduce how often authentication is required?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 84%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAH%3C/text%3E%3C/svg%3E)
Aaron Hicks
0
Reputation points
We've set up Oauth2 authentication for SSH via Red Hat Identity Manager using Microsft Entra ID as an IDP as per the documentation:
https://access.redhat.com/solutions/7073948
Resulting in an outcome very similar to as shown in the video here:
https://www.youtube.com/watch?v=NorXJN3tw3Q
The problem I'm having is that we have to jump through the click-the-link, enter-the-code, followed by the full Microsoft MFA authentication sequence every time someone logs in.
What I expected to happen was that there would be a persistent token, like a Kerberos token, that maintained the authentication for 'some time' or until it's invalidated, and that subsequent logins would work passwordlessly as per the demo in the video.
It doesn't seem to make any difference if someone's coming from Windows cmd.exe , PowerShell, or a Linux/WSL shell.
Are there additional settings I need to add to the App Registration we created in Azure/Entra that authenticates the login that gets us the desired behaviour?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju 5,255 Reputation points Microsoft Vendor2024-09-05T19:42:40.2766667+00:00 Hello @Aaron Hicks,
Thank you for posting your query on Microsoft Q&A.
I see that you've registered an application in Microsoft Entra ID as an IDP using the OAuth 2.0 device code flow. I understand that when attempting to connect via SSH with a username, a code is generated, which then needs to be authenticated via the verification URL "https://microsoft.com/devicelogin." To sign in, you must open a web browser, navigate to https://microsoft.com/devicelogin, and enter the code XXXXXXXXX to complete authentication.
You mentioned that each time a new user tries to make an SSH connection, they are prompted to enter a code in a web browser along with an MFA prompt. This is expected behavior when using the device code flow protocol, as it is designed for input-constrained devices to authenticate users via a web session. This requires users to input a code to successfully sign in.
I watched the YouTube video you referenced, and I noticed that during the video (from 45:20 to 46:15), they also entered a code in a new browser session to complete authentication when establishing the SSH connection.
Regarding the MFA prompt: if the user already has an active session in their browser with Entra, they should not be prompted for MFA during device code validation. Once the code is entered and submitted, authentication should proceed without the need for additional prompts, as the token claims will already be satisfied.
Please let me know if you're experiencing different behavior or share the specific time frame in the video where you observed passwordless authentication so I can take another look.
Microsoft identity platform and the OAuth 2.0 device authorization grant flow
I hope this information is helpful. Please feel free to reach out if you have any further questions.
Thanks,
Raja Pothuraju. -
Aaron Hicks 0 Reputation points
2024-09-06T01:45:01.4833333+00:00 Regarding the MFA prompt: if the user already has an active session in their browser with Entra, they should not be prompted for MFA during device code validation. Once the code is entered and submitted, authentication should proceed without the need for additional prompts, as the token claims will already be satisfied.
Ok, I do have an active authentication session in my browser, two actually, and I have to choose between them when I redo the authentication. I have to go through the full process each time. So the sequence is
- Enter SSH command
- click the link in the terminal
- enter the code
- choose which Entra account
- Password
- MFA with Microsoft Authenticator App on my phone
- Confirm the service name
- Press enter at the terminal
- Logged in
I think you're saying I should be skipping 5, 6 & 7 if someone has an Entra session on their browser?
Steps 1,2, 8, & 9 are using my shell session. Steps 3, 4, 5, &7 are in my browser, and step 6 is on my phone. We'd like to reduce these app switches as much as we can.
There are use cases for out people where this will not be acceptable, and we'll be going back to creating site specific credentials for the RHIdM domain and/or using SSH keys. We'd strongly prefer using Entra or AD as our SSO and relying on that to do MFA.
Ideally we'd like to see the Kerberos ticket that's issued to our people when they log in to their Windows workstations and laptops be accepted for authentication when the SSH to our Linux hosts that are under the Red Hat Identity Manager's domain, though we would like them to periodically (i.e. first time, after an expiry period, when they connect from unusual locations, etc.) have to go through the MFA process.
We may follow up here looking at using one-way trust, but that is less preferred because it requires higher admin privileges on our AD and we're tying to do this authentication against Entra in the cloud vs. AD on premise.
-
Raja Pothuraju 5,255 Reputation points Microsoft Vendor
2024-09-06T12:35:38.8966667+00:00 Hello @Aaron Hicks,
Thank you for your response.
As you mentioned, steps 5, 6, and 7 should not appear when an active session is running with Microsoft Entra. Since you are encountering this issue, I would like to investigate this behavior with you.
Please send me an email at 'AzCommunity@microsoft.com' with the subject line: Attn: Pothurajur, and include the following details in the body of the email: a link to this thread/post.
We can connect offline to discuss this further.
Thanks,
Raja Pothuraju. -
Raja Pothuraju 5,255 Reputation points Microsoft Vendor
2024-09-09T21:46:53.76+00:00 Hello @Aaron Hicks,
Thank you for your time on the call. As discussed, please allow me some time to review the logs, and I will share an update with you accordingly.
Thanks,
Raja Pothuraju.
Sign in to comment
Sign in to answer