SSH (and by association conch) sends feedback to users but unless you ssh -v you won't see much of it. Sending text feedback without using the standard auth methods might require you to move your two factor auth into your protocol but this doesn't feel like a good idea to me. I'm relatively new to conch and my use case is quite different to yours so if I'm wrong and there is a way to do this I hope someone else jumps in to correct me.

I did a quick test with as my portals checker and that lets me require both password (something you know) and key (something you have).
My test doesn't handle "ticking" already used auth methods off the list of authentications that can continue but I don't think it would be too hard to get that working.
I see the following in my ssh client connection when connecting to my server. As I said I don't tick off used methods which is why you see "Authentications that can continue: password,publickey" instead of just password.

$ ssh -v -p 5022 user@localhost
OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/tom/.ssh/config
debug1: Remote protocol version 2.0, remote software version Twisted
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/tom/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
Authenticated with partial success.
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: password
user@localhost's password:
debug1: Authentication succeeded (password).
Authenticated to localhost ([]:5022).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8

Hope that helps.

On Wed, Feb 5, 2014 at 12:03 AM, David Timothy Strauss <> wrote:
Is there a straightforward way to send text feedback to users when
their authentication fails? At Pantheon, we use a custom
implementation of IRealm. I'm hoping there's a way to send or return
the output from there.

We particularly need this because users will have various two-factor
authentication modes configured, and a simple pass/fail for
authentication will leave many scratching their heads.

I don't see any examples of such output on the relevant documentation page [1].


Twisted-Python mailing list