AuthProxy with LDAP/SSH key-based authentication

Hi,

We are trying to setup the AuthProxy in an environment that uses LDAP and SSH with key-based authentication. We got the proxy to work with password authentication, however it does not work with keys.

In case of password authentication, the usual LDAP communication flow looks like this:

  1. LDAP Bind Request with the service account (read only account)
  2. LDAP Search Request, Search Response etc…
  3. LDAP Bind Request with the user trying to authenticate → this is where Duo steps in and prompts for the second factor - we submit it and login works

With key-based auth however, the following happens:

  1. LDAP Bind Request with service account
  2. LDAP Search Request, Search Response contains public key
  3. Rest of the authentication is handled “normally”, no 2nd bind occurs with the authenticating user → no MFA is triggered

Is there any solution or workaround to this problem? Using password authentication is not an option.