Error: AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys root failed, status 5

arthur.schoenfeld · December 26, 2015, 4:03pm

Hello!

I am running into an issue trying to setup PrivacyIdea for our system. I am
hoping to use this to distribute SSH keys to our servers from the one main
PrivacyIdea server for each of our agents that log into different servers.

So far I have installed the Apache2 package on Ubuntu 14.04, added a realm
and a token, and attached that token to a specific machine. The server is
currently pointed to /etc/passwd for the users list. I also have a machine
resolver pointed to /etc/mysshhosts.

I have installed the admin client on the server I am wanting to SSH into. I
have added the [default] file to /etc/privacyidea/authorizedkeys. I have
also edited the ssh_config file to add in the authorizedkeyscommand file
and user.

From the client system when running “privacyidea-authorizedkeys root”, it
successfully returns the correct SSH key from the main server.

When I try to login from the device with said SSH key, it says the server
refused the key and prompts for the password. When running SSHD in debug
mode, I am getting this error: “error: AuthorizedKeysCommand
/usr/bin/privacyidea-authorizedkeys root failed, status 5”

I have tried to find what this error status 5 means but cannot find any
information. I can provide more information if needed. I have used various
guides from howtoforge, and information from the PrivacyIdea documentation,
as well as this group, to install and configure the software. There very
well may be mistakes along the way I have made as I am still learning the
software.

Any help and guidance is greatly appreciated.

Thanks!

Arthur

arthur.schoenfeld · December 26, 2015, 5:22pm

Hi Cornelius,

Thanks for the quick reply!

Here is a snippet of my sshd_config file in regards to authorizedkeys.

The default is to check both .ssh/authorized_keys and

.ssh/authorized_keys2

but this is overridden so installations will only check

.ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys

AuthorizedKeysCommandUser root

I am running the command as root, both when manually checking and when
connecting. The user that the token is attached to on the PrivacyIdea
server side is also root.

Thanks!

ArthurOn Saturday, December 26, 2015 at 10:14:39 AM UTC-7, Cornelius Kölbel wrote:

Hello Arthur,

are you running the command as the same user?

I.e. when running manually you are running as user “root” I suppose.
The command needs access to the configuration file. So if the
authorizedKeysCommand is run as another user, you might fail.

How does your sshd_config look like in regards to authorizedkeys?

Kind regards
Cornelius

Am Samstag, den 26.12.2015, 08:03 -0800 schrieb
arthur.s...@gmail.com <javascript:>:

Hello!

I am running into an issue trying to setup PrivacyIdea for our system.
I am hoping to use this to distribute SSH keys to our servers from the
one main PrivacyIdea server for each of our agents that log into
different servers.

So far I have installed the Apache2 package on Ubuntu 14.04, added a
realm and a token, and attached that token to a specific machine. The
server is currently pointed to /etc/passwd for the users list. I also
have a machine resolver pointed to /etc/mysshhosts.

I have installed the admin client on the server I am wanting to SSH
into. I have added the [default] file
to /etc/privacyidea/authorizedkeys. I have also edited the ssh_config
file to add in the authorizedkeyscommand file and user.

From the client system when running “privacyidea-authorizedkeys root”,
it successfully returns the correct SSH key from the main server.

When I try to login from the device with said SSH key, it says the
server refused the key and prompts for the password. When running SSHD
in debug mode, I am getting this error: “error:
AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys root failed,
status 5”

I have tried to find what this error status 5 means but cannot find
any information. I can provide more information if needed. I have used
various guides from howtoforge, and information from the PrivacyIdea
documentation, as well as this group, to install and configure the
software. There very well may be mistakes along the way I have made as
I am still learning the software.

Any help and guidance is greatly appreciated.

Thanks!

Arthur

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

cornelinux · December 26, 2015, 5:14pm

Hello Arthur,

are you running the command as the same user?

I.e. when running manually you are running as user “root” I suppose.
The command needs access to the configuration file. So if the
authorizedKeysCommand is run as another user, you might fail.

How does your sshd_config look like in regards to authorizedkeys?

Kind regards
Cornelius

arthur.schoenfeld@gmail.com:Am Samstag, den 26.12.2015, 08:03 -0800 schrieb

Hello!

I am running into an issue trying to setup PrivacyIdea for our system.
I am hoping to use this to distribute SSH keys to our servers from the
one main PrivacyIdea server for each of our agents that log into
different servers.

So far I have installed the Apache2 package on Ubuntu 14.04, added a
realm and a token, and attached that token to a specific machine. The
server is currently pointed to /etc/passwd for the users list. I also
have a machine resolver pointed to /etc/mysshhosts.

I have installed the admin client on the server I am wanting to SSH
into. I have added the [default] file
to /etc/privacyidea/authorizedkeys. I have also edited the ssh_config
file to add in the authorizedkeyscommand file and user.

From the client system when running “privacyidea-authorizedkeys root”,
it successfully returns the correct SSH key from the main server.

When I try to login from the device with said SSH key, it says the
server refused the key and prompts for the password. When running SSHD
in debug mode, I am getting this error: “error:
AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys root failed,
status 5”

I have tried to find what this error status 5 means but cannot find
any information. I can provide more information if needed. I have used
various guides from howtoforge, and information from the PrivacyIdea
documentation, as well as this group, to install and configure the
software. There very well may be mistakes along the way I have made as
I am still learning the software.

Any help and guidance is greatly appreciated.

Thanks!

Arthur

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

arthur.schoenfeld · December 27, 2015, 5:30pm

Hi Cornelius,

I have the log and config file on the PrivacyIdea SSH server, but on the
client that I am trying to SSH into (the one giving the status 5 error), I
don’t have either file.

On the client I ran this command to install the PrivacyIdea admin client:

pip install privacyideaadm

I used this guide when I installed that:

Do I need to install the full PrivacyIdea software on the client as well,
or can I just define the config file according to the documentation with
the admin client? Or is the config file for the admin client located
somewhere I’m not looking? I’ve looked in the three places the
documentation stated that you linked.

Thank you so much for all your help, I really appreciate it.

Thanks,

ArthurOn Sunday, December 27, 2015 at 1:16:06 AM UTC-7, Cornelius Kölbel wrote:

Hallo Arthur,

can you please take a look into the privacyidea.log, which is usually
located at /var/log/privacyidea/.

In the moment of authentication, when sshd calls
“privacyidea-authorizedkeys”, this might give us a clue, what happens in
this moment.
If needed please increase the log level

2.6. Debugging and Logging — privacyIDEA 3.8 documentation

Kind regards
Cornelius

Am Samstag, den 26.12.2015, 09:22 -0800 schrieb
arthur.s...@gmail.com <javascript:>:
Hi Cornelius,

Thanks for the quick reply!

Here is a snippet of my sshd_config file in regards to authorizedkeys.

The default is to check both .ssh/authorized_keys

and .ssh/authorized_keys2

but this is overridden so installations will only

check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys

AuthorizedKeysCommandUser root

I am running the command as root, both when manually checking and when
connecting. The user that the token is attached to on the PrivacyIdea
server side is also root.

Thanks!

Arthur

On Saturday, December 26, 2015 at 10:14:39 AM UTC-7, Cornelius Kölbel wrote:
Hello Arthur,
    are you running the command as the same user? 
    
    I.e. when running manually you are running as user "root" I 
    suppose. 
    The command needs access to the configuration file. So if the 
    authorizedKeysCommand is run as another user, you might fail. 
    
    How does your sshd_config look like in regards to 
    authorizedkeys? 
    
    Kind regards 
    Cornelius 
    
    Am Samstag, den 26.12.2015, 08:03 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hello! 
    > 
    > 
    > I am running into an issue trying to setup PrivacyIdea for 
    our system. 
    > I am hoping to use this to distribute SSH keys to our 
    servers from the 
    > one main PrivacyIdea server for each of our agents that log 
    into 
    > different servers. 
    > 
    > 
    > So far I have installed the Apache2 package on Ubuntu 14.04, 
    added a 
    > realm and a token, and attached that token to a specific 
    machine. The 
    > server is currently pointed to /etc/passwd for the users 
    list. I also 
    > have a machine resolver pointed to /etc/mysshhosts. 
    > 
    > 
    > I have installed the admin client on the server I am wanting 
    to SSH 
    > into. I have added the [default] file 
    > to /etc/privacyidea/authorizedkeys. I have also edited the 
    ssh_config 
    > file to add in the authorizedkeyscommand file and user. 
    > 
    > 
    > From the client system when running 
    "privacyidea-authorizedkeys root", 
    > it successfully returns the correct SSH key from the main 
    server. 
    > 
    > 
    > When I try to login from the device with said SSH key, it 
    says the 
    > server refused the key and prompts for the password. When 
    running SSHD 
    > in debug mode, I am getting this error: "error: 
    > AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    root failed, 
    > status 5" 
    > 
    > 
    > I have tried to find what this error status 5 means but 
    cannot find 
    > any information. I can provide more information if needed. I 
    have used 
    > various guides from howtoforge, and information from the 
    PrivacyIdea 
    > documentation, as well as this group, to install and 
    configure the 
    > software. There very well may be mistakes along the way I 
    have made as 
    > I am still learning the software. 
    > 
    > 
    > Any help and guidance is greatly appreciated. 
    > 
    > 
    > Thanks! 
    > 
    > 
    > Arthur 
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 
https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com.
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

cornelinux · December 27, 2015, 8:15am

Hallo Arthur,

can you please take a look into the privacyidea.log, which is usually
located at /var/log/privacyidea/.

In the moment of authentication, when sshd calls
“privacyidea-authorizedkeys”, this might give us a clue, what happens in
this moment.
If needed please increase the log level
http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html

Kind regards
Cornelius

arthur.schoenfeld@gmail.com:Am Samstag, den 26.12.2015, 09:22 -0800 schrieb

Hi Cornelius,

Thanks for the quick reply!

Here is a snippet of my sshd_config file in regards to authorizedkeys.

The default is to check both .ssh/authorized_keys

and .ssh/authorized_keys2

but this is overridden so installations will only

check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys

AuthorizedKeysCommandUser root

I am running the command as root, both when manually checking and when
connecting. The user that the token is attached to on the PrivacyIdea
server side is also root.

Thanks!

Arthur

On Saturday, December 26, 2015 at 10:14:39 AM UTC-7, Cornelius Kölbel wrote:
Hello Arthur,

    are you running the command as the same user? 
    
    I.e. when running manually you are running as user "root" I
    suppose. 
    The command needs access to the configuration file. So if the 
    authorizedKeysCommand is run as another user, you might fail. 
    
    How does your sshd_config look like in regards to
    authorizedkeys? 
    
    Kind regards 
    Cornelius 
    
    Am Samstag, den 26.12.2015, 08:03 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hello! 
    > 
    > 
    > I am running into an issue trying to setup PrivacyIdea for
    our system. 
    > I am hoping to use this to distribute SSH keys to our
    servers from the 
    > one main PrivacyIdea server for each of our agents that log
    into 
    > different servers. 
    > 
    > 
    > So far I have installed the Apache2 package on Ubuntu 14.04,
    added a 
    > realm and a token, and attached that token to a specific
    machine. The 
    > server is currently pointed to /etc/passwd for the users
    list. I also 
    > have a machine resolver pointed to /etc/mysshhosts. 
    > 
    > 
    > I have installed the admin client on the server I am wanting
    to SSH 
    > into. I have added the [default] file 
    > to /etc/privacyidea/authorizedkeys. I have also edited the
    ssh_config 
    > file to add in the authorizedkeyscommand file and user. 
    > 
    > 
    > From the client system when running
    "privacyidea-authorizedkeys root", 
    > it successfully returns the correct SSH key from the main
    server. 
    > 
    > 
    > When I try to login from the device with said SSH key, it
    says the 
    > server refused the key and prompts for the password. When
    running SSHD 
    > in debug mode, I am getting this error: "error: 
    > AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys
    root failed, 
    > status 5" 
    > 
    > 
    > I have tried to find what this error status 5 means but
    cannot find 
    > any information. I can provide more information if needed. I
    have used 
    > various guides from howtoforge, and information from the
    PrivacyIdea 
    > documentation, as well as this group, to install and
    configure the 
    > software. There very well may be mistakes along the way I
    have made as 
    > I am still learning the software. 
    > 
    > 
    > Any help and guidance is greatly appreciated. 
    > 
    > 
    > Thanks! 
    > 
    > 
    > Arthur 
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

cornelinux · December 28, 2015, 9:15am

Hi Arthur,

you do not need the privacyidea server software on the client (which in
this case is your SSH server).

On the client side you only need privacyidea-authorizedkeys.
This script is located in the module privacyideaadm.

You only need one config file:

github.com

privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35


      
          #
          """
          This tool is used to fetch the ssh public keys for 
          the given user on this machine. 
          
          This tool is to be used with the sshd_config entry
          
           AuthorizedKeysCommand
           
          Run this script as the user specified in
          
           AuthorizedKeysCommandUser.
           
          The settings, where the privacyIDEA server is located and which
          realm is used, is located in the file
          /etc/privacyidea/authorizedkeyscommand.
          
          You need to create the following section:
          
             [Default]
             url = https://privacyidea

This should do it.

As you can run the command from the command line successfully, it seems
fine.

Can you please send the very detailed output/stdout of the command

privacyidea-authorizedkeys root

(I want to make sure, that there is no other disturbing output)

and send the /var/log/privacyidea/privacyidea.log file from the event,
when tryping to ssh into the ssh server?

Thanks a lot
Cornelius

arthur.schoenfeld@gmail.com:Am Sonntag, den 27.12.2015, 09:30 -0800 schrieb

Hi Cornelius,

I have the log and config file on the PrivacyIdea SSH server, but on
the client that I am trying to SSH into (the one giving the status 5
error), I don’t have either file.

On the client I ran this command to install the PrivacyIdea admin
client:

pip install privacyideaadm

I used this guide when I installed that:

SSH Key Management with privacyIDEA

Do I need to install the full PrivacyIdea software on the client as
well, or can I just define the config file according to the
documentation with the admin client? Or is the config file for the
admin client located somewhere I’m not looking? I’ve looked in the
three places the documentation stated that you linked.

Thank you so much for all your help, I really appreciate it.

Thanks,

Arthur

On Sunday, December 27, 2015 at 1:16:06 AM UTC-7, Cornelius Kölbel wrote:
Hallo Arthur,

    can you please take a look into the privacyidea.log, which is
    usually 
    located at /var/log/privacyidea/. 
    
    In the moment of authentication, when sshd calls 
    "privacyidea-authorizedkeys", this might give us a clue, what
    happens in 
    this moment. 
    If needed please increase the log level 
    http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html 
    
    Kind regards 
    Cornelius 
    
    Am Samstag, den 26.12.2015, 09:22 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hi Cornelius, 
    > 
    > 
    > Thanks for the quick reply! 
    > 
    > 
    > Here is a snippet of my sshd_config file in regards to
    authorizedkeys. 
    > 
    > 
    > # The default is to check both .ssh/authorized_keys 
    > and .ssh/authorized_keys2 
    > 
    > # but this is overridden so installations will only 
    > check .ssh/authorized_keys 
    > 
    > AuthorizedKeysFile .ssh/authorized_keys 
    > 
    > 
    > #AuthorizedPrincipalsFile none 
    > 
    > 
    > AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    > 
    > AuthorizedKeysCommandUser root 
    > 
    > 
    > 
    > 
    > I am running the command as root, both when manually
    checking and when 
    > connecting. The user that the token is attached to on the
    PrivacyIdea 
    > server side is also root. 
    > 
    > 
    > Thanks! 
    > 
    > 
    > Arthur 
    > 
    > On Saturday, December 26, 2015 at 10:14:39 AM UTC-7, Cornelius Kölbel  wrote: 
    >         Hello Arthur, 
    >         
    >         are you running the command as the same user? 
    >         
    >         I.e. when running manually you are running as user
    "root" I 
    >         suppose. 
    >         The command needs access to the configuration file.
    So if the 
    >         authorizedKeysCommand is run as another user, you
    might fail. 
    >         
    >         How does your sshd_config look like in regards to 
    >         authorizedkeys? 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Samstag, den 26.12.2015, 08:03 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hello! 
    >         > 
    >         > 
    >         > I am running into an issue trying to setup
    PrivacyIdea for 
    >         our system. 
    >         > I am hoping to use this to distribute SSH keys to
    our 
    >         servers from the 
    >         > one main PrivacyIdea server for each of our agents
    that log 
    >         into 
    >         > different servers. 
    >         > 
    >         > 
    >         > So far I have installed the Apache2 package on
    Ubuntu 14.04, 
    >         added a 
    >         > realm and a token, and attached that token to a
    specific 
    >         machine. The 
    >         > server is currently pointed to /etc/passwd for the
    users 
    >         list. I also 
    >         > have a machine resolver pointed
    to /etc/mysshhosts. 
    >         > 
    >         > 
    >         > I have installed the admin client on the server I
    am wanting 
    >         to SSH 
    >         > into. I have added the [default] file 
    >         > to /etc/privacyidea/authorizedkeys. I have also
    edited the 
    >         ssh_config 
    >         > file to add in the authorizedkeyscommand file and
    user. 
    >         > 
    >         > 
    >         > From the client system when running 
    >         "privacyidea-authorizedkeys root", 
    >         > it successfully returns the correct SSH key from
    the main 
    >         server. 
    >         > 
    >         > 
    >         > When I try to login from the device with said SSH
    key, it 
    >         says the 
    >         > server refused the key and prompts for the
    password. When 
    >         running SSHD 
    >         > in debug mode, I am getting this error: "error: 
    >         >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         root failed, 
    >         > status 5" 
    >         > 
    >         > 
    >         > I have tried to find what this error status 5
    means but 
    >         cannot find 
    >         > any information. I can provide more information if
    needed. I 
    >         have used 
    >         > various guides from howtoforge, and information
    from the 
    >         PrivacyIdea 
    >         > documentation, as well as this group, to install
    and 
    >         configure the 
    >         > software. There very well may be mistakes along
    the way I 
    >         have made as 
    >         > I am still learning the software. 
    >         > 
    >         > 
    >         > Any help and guidance is greatly appreciated. 
    >         > 
    >         > 
    >         > Thanks! 
    >         > 
    >         > 
    >         > Arthur 
    >         > -- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/70d9e885-5ba9-4718-886d-eebe71587085%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

cornelinux · December 29, 2015, 7:33pm

Hm, maybe the nosslcheck parameter in the config file is broken

You can run at the commandline:

privacyidea-authorizedkeys --nosslcheck root

This should suppress the error message.
Just drop me a note, if it does.

Kind regards
Cornelius

arthur.schoenfeld@gmail.com:Am Dienstag, den 29.12.2015, 11:21 -0800 schrieb

Hi Cornelius,

That makes sense about the log file.

Just to clarify, for the nosslcheck = true option, is that added to
the client’s config file (/etc/privacyidea/authorizedkeyscommand), or
to the SSH server, or both?

I will work towards getting a certificate in place. I have actually
had nosslcheck = true part of my client’s config file from before I
posted here, and it has always given that error message on the output.
Would I need to disable the SSL warning instead, or should the
nosslcheck prevent the warning from appearing?

Here is my complete config file from the client
(/etc/privacyidea/authorizedkeyscommand:

[Default]

url=https://

admin=****

password=****

nosslcheck = True

Thanks,

Arthur

On Tuesday, December 29, 2015 at 12:18:14 AM UTC-7, Cornelius Kölbel wrote:
Hi Arthur,

    the privacyidea.log only exists on the privacyidea server! 
    
    But the output of the command 
    
     privacyidea-authorizedkeys root 
    
    
    help. This command must only output the public ssh keys. 
    The urllib warning will confuse the SSH server. So we need to
    avoid 
    these. 
    Either get a trusted SSL certificate to install on your
    privacyIDEA 
    server (recommended solution to avoid MitM attacks) 
    
    For now, you can add --nosslcheck as parameter or add 
    
            nosslcheck = True 
    
    to your config file. 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 28.12.2015, 21:43 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hi Cornelius, 
    > 
    > 
    > Here is the output from the 'privacyidea-authorizedkeys
    root' command: 
    > 
    > 
    > [root@satellite110 ~]# privacyidea-authorizedkeys root 
    > 
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    > 
    >   InsecureRequestWarning) 
    > 
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    > 
    >   InsecureRequestWarning) 
    > 
    > ssh-rss AAAAB3NzaC1yc2EAAAABJQAA.....3OfrrRj4/+O8XC6XT9k= 
    > iphone-rsa-key-20151225 
    > 
    > 
    > I figured the HTTPS error wasn't an issue and that it should
    still 
    > work from what I read at the security.html it recommends
    reading, but 
    > I may have read it wrong. 
    > 
    > 
    > Here is the log file from the SSH server: 
    > 
    > 
    > [2015-12-29 
    >
    00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    > 
    > [2015-12-29 
    >
    00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188] 
    > user u'root' found in resolver u'deflocal' 
    > 
    > [2015-12-29 
    >
    00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189] 
    > userid resolved to '0' 
    > 
    > [2015-12-29 
    >
    00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    > 
    > [2015-12-29 
    >
    00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    > 
    > [2015-12-29 
    >
    00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    > 
    > [2015-12-29 
    >
    00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    > 
    > [2015-12-29 
    >
    00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188] 
    > user u'root' found in resolver u'deflocal' 
    > 
    > [2015-12-29 
    >
    00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189] 
    > userid resolved to '0' 
    > 
    > [2015-12-29 
    >
    00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    > 
    > [2015-12-29 
    >
    00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    > 
    > [2015-12-29 
    >
    00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    > 
    > 
    > Unfortunately I still don't
    have /var/log/privacyidea/privacyidea.log 
    > file on the client machine that I am trying to SSH into. I
    did add a 
    > file there manually hoping it would maybe use it after
    running the 
    > 'privacyidea-authorizedkeys root' command, but the file is
    empty. 
    > 
    > 
    > I also edited the client's config file located 
    > in /etc/privacyidea/authorizedkeys and added these lines: 
    > 
    > 
    > PI_LOGFILE = "/var/log/privacyidea/privacyidea.log" 
    > 
    > PI_LOGLEVEL = 10 
    > 
    > 
    > I also added those same lines
    to /usr/bin/privacyidea-authorizedkeys 
    > and changed DEBUG to true: 
    > 
    > 
    > VERSION = '2.4' 
    > 
    > DEBUG = True 
    > 
    > DESCRIPTION = __doc__ 
    > 
    > DEFAULT_CONFIG = "/etc/privacyidea/authorizedkeyscommand" 
    > 
    > PI_LOGLEVEL = 10 
    > 
    > PI_LOGFILE = "/var/log/privacyidea/privacyidea.log" 
    > 
    > 
    > Even with all the I'm still not seeing a log file anywhere
    on the 
    > client machine. I must be doing something wrong if it isn't
    generating 
    > one for us. 
    > 
    > 
    > I hope I am not tiring you, I apologize for my ignorance
    with this. 
    > The missing log file is perplexing me. Thank you so much for
    your time 
    > and help with this. 
    > 
    > 
    > Thanks, 
    > 
    > 
    > Arthur 
    > 
    > 
    > On Monday, December 28, 2015 at 2:15:30 AM UTC-7, Cornelius Kölbel  wrote: 
    >         Hi Arthur, 
    >         
    >         you do not need the privacyidea server software on
    the client 
    >         (which in 
    >         this case is your SSH server). 
    >         
    >         On the client side you only need
    privacyidea-authorizedkeys. 
    >         This script is located in the module
    privacyideaadm. 
    >         
    >         You only need one config file: 
    >
    https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35 
    >         
    >         This should do it. 
    >         
    >         As you can run the command from the command line
    successfully, 
    >         it seems 
    >         fine. 
    >         
    >         Can you please send the very detailed output/stdout
    of the 
    >         command 
    >         
    >                 privacyidea-authorizedkeys root 
    >         
    >         (I want to make sure, that there is no other
    disturbing 
    >         output) 
    >         
    >         and send the /var/log/privacyidea/privacyidea.log
    file from 
    >         the event, 
    >         when tryping to ssh into the ssh server? 
    >         
    >         Thanks a lot 
    >         Cornelius 
    >         
    >         
    >         Am Sonntag, den 27.12.2015, 09:30 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hi Cornelius, 
    >         > 
    >         > 
    >         > I have the log and config file on the PrivacyIdea
    SSH 
    >         server, but on 
    >         > the client that I am trying to SSH into (the one
    giving the 
    >         status 5 
    >         > error), I don't have either file. 
    >         > 
    >         > 
    >         > On the client I ran this command to install the
    PrivacyIdea 
    >         admin 
    >         > client: 
    >         > 
    >         > 
    >         > pip install privacyideaadm 
    >         > 
    >         > 
    >         > 
    >         > I used this guide when I installed that: 
    >         > 
    >         > 
    >         > 
    >
    https://www.howtoforge.com/tutorial/ssh-key-management-with-privacyidea/ 
    >         > 
    >         > 
    >         > 
    >         > Do I need to install the full PrivacyIdea software
    on the 
    >         client as 
    >         > well, or can I just define the config file
    according to the 
    >         > documentation with the admin client? Or is the
    config file 
    >         for the 
    >         > admin client located somewhere I'm not looking?
    I've looked 
    >         in the 
    >         > three places the documentation stated that you
    linked. 
    >         > 
    >         > 
    >         > Thank you so much for all your help, I really
    appreciate 
    >         it. 
    >         > 
    >         > 
    >         > Thanks, 
    >         > 
    >         > 
    >         > Arthur 
    >         > 
    >         > On Sunday, December 27, 2015 at 1:16:06 AM UTC-7, Cornelius  Kölbel  wrote: 
    >         >         Hallo Arthur, 
    >         >         
    >         >         can you please take a look into the
    privacyidea.log, 
    >         which is 
    >         >         usually 
    >         >         located at /var/log/privacyidea/. 
    >         >         
    >         >         In the moment of authentication, when sshd
    calls 
    >         >         "privacyidea-authorizedkeys", this might
    give us a 
    >         clue, what 
    >         >         happens in 
    >         >         this moment. 
    >         >         If needed please increase the log level 
    >         > 
    >
    http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html 
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         Am Samstag, den 26.12.2015, 09:22 -0800 schrieb 
    >         >         arthur.s...@gmail.com: 
    >         >         > Hi Cornelius, 
    >         >         > 
    >         >         > 
    >         >         > Thanks for the quick reply! 
    >         >         > 
    >         >         > 
    >         >         > Here is a snippet of my sshd_config file
    in 
    >         regards to 
    >         >         authorizedkeys. 
    >         >         > 
    >         >         > 
    >         >         > # The default is to check 
    >         both .ssh/authorized_keys 
    >         >         > and .ssh/authorized_keys2 
    >         >         > 
    >         >         > # but this is overridden so
    installations will 
    >         only 
    >         >         > check .ssh/authorized_keys 
    >         >         > 
    >         >         > AuthorizedKeysFile .ssh/authorized_keys 
    >         >         > 
    >         >         > 
    >         >         > #AuthorizedPrincipalsFile none 
    >         >         > 
    >         >         > 
    >         >         > 
    >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         > 
    >         >         > AuthorizedKeysCommandUser root 
    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > I am running the command as root, both
    when 
    >         manually 
    >         >         checking and when 
    >         >         > connecting. The user that the token is
    attached to 
    >         on the 
    >         >         PrivacyIdea 
    >         >         > server side is also root. 
    >         >         > 
    >         >         > 
    >         >         > Thanks! 
    >         >         > 
    >         >         > 
    >         >         > Arthur 
    >         >         > 
    >         >         > On Saturday, December 26, 2015 at 10:14:39 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         >         Hello Arthur, 
    >         >         >         
    >         >         >         are you running the command as
    the same 
    >         user? 
    >         >         >         
    >         >         >         I.e. when running manually you
    are running 
    >         as user 
    >         >         "root" I 
    >         >         >         suppose. 
    >         >         >         The command needs access to the 
    >         configuration file. 
    >         >         So if the 
    >         >         >         authorizedKeysCommand is run as
    another 
    >         user, you 
    >         >         might fail. 
    >         >         >         
    >         >         >         How does your sshd_config look
    like in 
    >         regards to 
    >         >         >         authorizedkeys? 
    >         >         >         
    >         >         >         Kind regards 
    >         >         >         Cornelius 
    >         >         >         
    >         >         >         Am Samstag, den 26.12.2015, 08:03 -0800  schrieb 
    >         >         >         arthur.s...@gmail.com: 
    >         >         >         > Hello! 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I am running into an issue
    trying to 
    >         setup 
    >         >         PrivacyIdea for 
    >         >         >         our system. 
    >         >         >         > I am hoping to use this to
    distribute 
    >         SSH keys to 
    >         >         our 
    >         >         >         servers from the 
    >         >         >         > one main PrivacyIdea server
    for each of 
    >         our agents 
    >         >         that log 
    >         >         >         into 
    >         >         >         > different servers. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > So far I have installed the
    Apache2 
    >         package on 
    >         >         Ubuntu 14.04, 
    >         >         >         added a 
    >         >         >         > realm and a token, and
    attached that 
    >         token to a 
    >         >         specific 
    >         >         >         machine. The 
    >         >         >         > server is currently pointed 
    >         to /etc/passwd for the 
    >         >         users 
    >         >         >         list. I also 
    >         >         >         > have a machine resolver
    pointed 
    >         >         to /etc/mysshhosts. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I have installed the admin
    client on the 
    >         server I 
    >         >         am wanting 
    >         >         >         to SSH 
    >         >         >         > into. I have added the
    [default] file 
    >         >         >         >
    to /etc/privacyidea/authorizedkeys. I 
    >         have also 
    >         >         edited the 
    >         >         >         ssh_config 
    >         >         >         > file to add in the
    authorizedkeyscommand 
    >         file and 
    >         >         user. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > From the client system when
    running 
    >         >         >         "privacyidea-authorizedkeys
    root", 
    >         >         >         > it successfully returns the
    correct SSH 
    >         key from 
    >         >         the main 
    >         >         >         server. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > When I try to login from the
    device with 
    >         said SSH 
    >         >         key, it 
    >         >         >         says the 
    >         >         >         > server refused the key and
    prompts for 
    >         the 
    >         >         password. When 
    >         >         >         running SSHD 
    >         >         >         > in debug mode, I am getting
    this error: 
    >         "error: 
    >         >         >         > 
    >         > 
    >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         root failed, 
    >         >         >         > status 5" 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I have tried to find what this
    error 
    >         status 5 
    >         >         means but 
    >         >         >         cannot find 
    >         >         >         > any information. I can provide
    more 
    >         information if 
    >         >         needed. I 
    >         >         >         have used 
    >         >         >         > various guides from
    howtoforge, and 
    >         information 
    >         >         from the 
    >         >         >         PrivacyIdea 
    >         >         >         > documentation, as well as this
    group, to 
    >         install 
    >         >         and 
    >         >         >         configure the 
    >         >         >         > software. There very well may
    be 
    >         mistakes along 
    >         >         the way I 
    >         >         >         have made as 
    >         >         >         > I am still learning the
    software. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Any help and guidance is
    greatly 
    >         appreciated. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thanks! 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Arthur 
    >         >         >         > -- 
    >         >         >         > You received this message
    because you 
    >         are 
    >         >         subscribed to the 
    >         >         >         Google 
    >         >         >         > Groups "privacyidea" group. 
    >         >         >         > To unsubscribe from this group
    and stop 
    >         receiving 
    >         >         emails 
    >         >         >         from it, send 
    >         >         >         > an email to 
    >         privacyidea...@googlegroups.com. 
    >         >         >         > To post to this group, send
    email to 
    >         >         >         priva...@googlegroups.com. 
    >         >         >         > To view this discussion on the
    web 
    >         visit 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com. 
    >         >         >         > For more options, visit 
    >         >         https://groups.google.com/d/optout. 
    >         >         >         
    >         >         >         -- 
    >         >         >         Cornelius Kölbel 
    >         >         >         corneliu...@netknights.it 
    >         >         >         +49 151 2960 1417 
    >         >         >         
    >         >         >         NetKnights GmbH 
    >         >         >         http://www.netknights.it 
    >         >         >         Landgraf-Karl-Str. 19, 34131
    Kassel, 
    >         Germany 
    >         >         >         Tel: +49 561 3166797, Fax: +49
    561 
    >         3166798 
    >         >         >         
    >         >         >         Amtsgericht Kassel, HRB 16405 
    >         >         >         Geschäftsführer: Cornelius
    Kölbel 
    >         >         >         
    >         >         >         
    >         >         > -- 
    >         >         > You received this message because you
    are 
    >         subscribed to the 
    >         >         Google 
    >         >         > Groups "privacyidea" group. 
    >         >         > To unsubscribe from this group and stop
    receiving 
    >         emails 
    >         >         from it, send 
    >         >         > an email to
    privacyidea...@googlegroups.com. 
    >         >         > To post to this group, send email to 
    >         >         priva...@googlegroups.com. 
    >         >         > To view this discussion on the web
    visit 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com. 
    >         >         > For more options, visit 
    >         https://groups.google.com/d/optout. 
    >         >         
    >         >         -- 
    >         >         Cornelius Kölbel 
    >         >         corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://www.netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         > -- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/70d9e885-5ba9-4718-886d-eebe71587085%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/731b0af5-1bde-45b4-b777-69400c7517f8%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5ed90dcf-d0ee-455a-bc2d-f957e4bb9d4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

arthur.schoenfeld · December 29, 2015, 7:21pm

Hi Cornelius,

That makes sense about the log file.

Just to clarify, for the nosslcheck = true option, is that added to the
client’s config file (/etc/privacyidea/authorizedkeyscommand), or to the
SSH server, or both?

I will work towards getting a certificate in place. I have actually had
nosslcheck = true part of my client’s config file from before I posted
here, and it has always given that error message on the output. Would I
need to disable the SSL warning instead, or should the nosslcheck prevent
the warning from appearing?

Here is my complete config file from the client
(/etc/privacyidea/authorizedkeyscommand:

[Default]

url=https://

admin=****

password=****

nosslcheck = True

Thanks,

ArthurOn Tuesday, December 29, 2015 at 12:18:14 AM UTC-7, Cornelius Kölbel wrote:

Hi Arthur,

the privacyidea.log only exists on the privacyidea server!

But the output of the command

privacyidea-authorizedkeys root

help. This command must only output the public ssh keys.
The urllib warning will confuse the SSH server. So we need to avoid
these.
Either get a trusted SSL certificate to install on your privacyIDEA
server (recommended solution to avoid MitM attacks)

For now, you can add --nosslcheck as parameter or add
    nosslcheck = True 
to your config file.

Kind regards
Cornelius

Am Montag, den 28.12.2015, 21:43 -0800 schrieb
arthur.s...@gmail.com <javascript:>:

Hi Cornelius,

Here is the output from the ‘privacyidea-authorizedkeys root’ command:

[root@satellite110 ~]# privacyidea-authorizedkeys root

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

InsecureRequestWarning)

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

InsecureRequestWarning)

ssh-rss AAAAB3NzaC1yc2EAAAABJQAA…3OfrrRj4/+O8XC6XT9k=
iphone-rsa-key-20151225

I figured the HTTPS error wasn’t an issue and that it should still
work from what I read at the security.html it recommends reading, but
I may have read it wrong.

Here is the log file from the SSH server:

[2015-12-29

00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188]
user u’root’ found in resolver u’deflocal’

[2015-12-29
00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189]
userid resolved to ‘0’

[2015-12-29

00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29

00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29

00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29

00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188]
user u’root’ found in resolver u’deflocal’

[2015-12-29
00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189]
userid resolved to ‘0’

[2015-12-29

00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29

00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29

00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’
Unfortunately I still don’t have /var/log/privacyidea/privacyidea.log
file on the client machine that I am trying to SSH into. I did add a
file there manually hoping it would maybe use it after running the
‘privacyidea-authorizedkeys root’ command, but the file is empty.

I also edited the client’s config file located
in /etc/privacyidea/authorizedkeys and added these lines:

PI_LOGFILE = “/var/log/privacyidea/privacyidea.log”

PI_LOGLEVEL = 10

I also added those same lines to /usr/bin/privacyidea-authorizedkeys
and changed DEBUG to true:

VERSION = ‘2.4’

DEBUG = True

DESCRIPTION = doc

DEFAULT_CONFIG = “/etc/privacyidea/authorizedkeyscommand”

PI_LOGLEVEL = 10

PI_LOGFILE = “/var/log/privacyidea/privacyidea.log”

Even with all the I’m still not seeing a log file anywhere on the
client machine. I must be doing something wrong if it isn’t generating
one for us.

I hope I am not tiring you, I apologize for my ignorance with this.
The missing log file is perplexing me. Thank you so much for your time
and help with this.

Thanks,

Arthur

On Monday, December 28, 2015 at 2:15:30 AM UTC-7, Cornelius Kölbel wrote:
Hi Arthur,
    you do not need the privacyidea server software on the client 
    (which in 
    this case is your SSH server). 
    
    On the client side you only need privacyidea-authorizedkeys. 
    This script is located in the module privacyideaadm. 
    
    You only need one config file: 
https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35
    This should do it. 
    
    As you can run the command from the command line successfully, 
    it seems 
    fine. 
    
    Can you please send the very detailed output/stdout of the 
    command 
    
            privacyidea-authorizedkeys root 
    
    (I want to make sure, that there is no other disturbing 
    output) 
    
    and send the /var/log/privacyidea/privacyidea.log file from 
    the event, 
    when tryping to ssh into the ssh server? 
    
    Thanks a lot 
    Cornelius 
    
    
    Am Sonntag, den 27.12.2015, 09:30 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hi Cornelius, 
    > 
    > 
    > I have the log and config file on the PrivacyIdea SSH 
    server, but on 
    > the client that I am trying to SSH into (the one giving the 
    status 5 
    > error), I don't have either file. 
    > 
    > 
    > On the client I ran this command to install the PrivacyIdea 
    admin 
    > client: 
    > 
    > 
    > pip install privacyideaadm 
    > 
    > 
    > 
    > I used this guide when I installed that: 
    > 
    > 
    > 
SSH Key Management with privacyIDEA
    > 
    > 
    > 
    > Do I need to install the full PrivacyIdea software on the 
    client as 
    > well, or can I just define the config file according to the 
    > documentation with the admin client? Or is the config file 
    for the 
    > admin client located somewhere I'm not looking? I've looked 
    in the 
    > three places the documentation stated that you linked. 
    > 
    > 
    > Thank you so much for all your help, I really appreciate 
    it. 
    > 
    > 
    > Thanks, 
    > 
    > 
    > Arthur 
    > 
    > On Sunday, December 27, 2015 at 1:16:06 AM UTC-7, Cornelius  Kölbel  wrote: 
    >         Hallo Arthur, 
    >         
    >         can you please take a look into the privacyidea.log, 
    which is 
    >         usually 
    >         located at /var/log/privacyidea/. 
    >         
    >         In the moment of authentication, when sshd calls 
    >         "privacyidea-authorizedkeys", this might give us a 
    clue, what 
    >         happens in 
    >         this moment. 
    >         If needed please increase the log level 
    > 
2.6. Debugging and Logging — privacyIDEA 3.8 documentation
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Samstag, den 26.12.2015, 09:22 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hi Cornelius, 
    >         > 
    >         > 
    >         > Thanks for the quick reply! 
    >         > 
    >         > 
    >         > Here is a snippet of my sshd_config file in 
    regards to 
    >         authorizedkeys. 
    >         > 
    >         > 
    >         > # The default is to check 
    both .ssh/authorized_keys 
    >         > and .ssh/authorized_keys2 
    >         > 
    >         > # but this is overridden so installations will 
    only 
    >         > check .ssh/authorized_keys 
    >         > 
    >         > AuthorizedKeysFile .ssh/authorized_keys 
    >         > 
    >         > 
    >         > #AuthorizedPrincipalsFile none 
    >         > 
    >         > 
    >         > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         > 
    >         > AuthorizedKeysCommandUser root 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > I am running the command as root, both when 
    manually 
    >         checking and when 
    >         > connecting. The user that the token is attached to 
    on the 
    >         PrivacyIdea 
    >         > server side is also root. 
    >         > 
    >         > 
    >         > Thanks! 
    >         > 
    >         > 
    >         > Arthur 
    >         > 
    >         > On Saturday, December 26, 2015 at 10:14:39 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         Hello Arthur, 
    >         >         
    >         >         are you running the command as the same 
    user? 
    >         >         
    >         >         I.e. when running manually you are running 
    as user 
    >         "root" I 
    >         >         suppose. 
    >         >         The command needs access to the 
    configuration file. 
    >         So if the 
    >         >         authorizedKeysCommand is run as another 
    user, you 
    >         might fail. 
    >         >         
    >         >         How does your sshd_config look like in 
    regards to 
    >         >         authorizedkeys? 
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         Am Samstag, den 26.12.2015, 08:03 -0800  schrieb 
    >         >         arthur.s...@gmail.com: 
    >         >         > Hello! 
    >         >         > 
    >         >         > 
    >         >         > I am running into an issue trying to 
    setup 
    >         PrivacyIdea for 
    >         >         our system. 
    >         >         > I am hoping to use this to distribute 
    SSH keys to 
    >         our 
    >         >         servers from the 
    >         >         > one main PrivacyIdea server for each of 
    our agents 
    >         that log 
    >         >         into 
    >         >         > different servers. 
    >         >         > 
    >         >         > 
    >         >         > So far I have installed the Apache2 
    package on 
    >         Ubuntu 14.04, 
    >         >         added a 
    >         >         > realm and a token, and attached that 
    token to a 
    >         specific 
    >         >         machine. The 
    >         >         > server is currently pointed 
    to /etc/passwd for the 
    >         users 
    >         >         list. I also 
    >         >         > have a machine resolver pointed 
    >         to /etc/mysshhosts. 
    >         >         > 
    >         >         > 
    >         >         > I have installed the admin client on the 
    server I 
    >         am wanting 
    >         >         to SSH 
    >         >         > into. I have added the [default] file 
    >         >         > to /etc/privacyidea/authorizedkeys. I 
    have also 
    >         edited the 
    >         >         ssh_config 
    >         >         > file to add in the authorizedkeyscommand 
    file and 
    >         user. 
    >         >         > 
    >         >         > 
    >         >         > From the client system when running 
    >         >         "privacyidea-authorizedkeys root", 
    >         >         > it successfully returns the correct SSH 
    key from 
    >         the main 
    >         >         server. 
    >         >         > 
    >         >         > 
    >         >         > When I try to login from the device with 
    said SSH 
    >         key, it 
    >         >         says the 
    >         >         > server refused the key and prompts for 
    the 
    >         password. When 
    >         >         running SSHD 
    >         >         > in debug mode, I am getting this error: 
    "error: 
    >         >         > 
    > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         root failed, 
    >         >         > status 5" 
    >         >         > 
    >         >         > 
    >         >         > I have tried to find what this error 
    status 5 
    >         means but 
    >         >         cannot find 
    >         >         > any information. I can provide more 
    information if 
    >         needed. I 
    >         >         have used 
    >         >         > various guides from howtoforge, and 
    information 
    >         from the 
    >         >         PrivacyIdea 
    >         >         > documentation, as well as this group, to 
    install 
    >         and 
    >         >         configure the 
    >         >         > software. There very well may be 
    mistakes along 
    >         the way I 
    >         >         have made as 
    >         >         > I am still learning the software. 
    >         >         > 
    >         >         > 
    >         >         > Any help and guidance is greatly 
    appreciated. 
    >         >         > 
    >         >         > 
    >         >         > Thanks! 
    >         >         > 
    >         >         > 
    >         >         > Arthur 
    >         >         > -- 
    >         >         > You received this message because you 
    are 
    >         subscribed to the 
    >         >         Google 
    >         >         > Groups "privacyidea" group. 
    >         >         > To unsubscribe from this group and stop 
    receiving 
    >         emails 
    >         >         from it, send 
    >         >         > an email to 
    privacyidea...@googlegroups.com. 
    >         >         > To post to this group, send email to 
    >         >         priva...@googlegroups.com. 
    >         >         > To view this discussion on the web 
    visit 
    >         >         > 
    >         > 
    > 
https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com.
    >         >         > For more options, visit 
    >         https://groups.google.com/d/optout. 
    >         >         
    >         >         -- 
    >         >         Cornelius Kölbel 
    >         >         corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://www.netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         > -- 
    >         > You received this message because you are 
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving 
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    > 
https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com.
    >         > For more options, visit 
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 
https://groups.google.com/d/msgid/privacyidea/70d9e885-5ba9-4718-886d-eebe71587085%40googlegroups.com.
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/731b0af5-1bde-45b4-b777-69400c7517f8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

cornelinux · December 29, 2015, 8:37pm

Hi Arthur,

you can create a bash script, that sets the environment variable:

#!/bin/bash
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
privacyidea-authorizedkeys --nosslcheck $@

Then you could use this script as AuthorizedKeysCommand.
For now.

But using an untrusted certificate allows for a man in the middle
attack.

I will add an issue, so that

the error can be ignored without bash script
the privacyidea-authorizedkeys will accept your own CA certificates

You should at all cost assure that the client (ssh server) trusts the
privacyIDEA server certificate.

For what it’s worth. If you only have a surface knowledge but this topic
is mission critiacl to you: My company provides all kind of support
around this topic. So we could do remote sessions or on-site workshop,
help to setup the certificate, configure privacyidea and the client side
and you can also get a service level agreement:

https://netknights.it/en/leistungen/one-time-services/
https://netknights.it/en/leistungen/service-level-agreements/

Kind regards
Cornelius

arthur.schoenfeld@gmail.com:Am Dienstag, den 29.12.2015, 11:55 -0800 schrieb

Cornelius,

I ran it as you said, and the error messages are gone, and only the
key was returned.

[root@satellite110 ~]# PYTHONWARNINGS=“ignore:Unverified HTTPS
request” \

privacyidea-authorizedkeys root

ssh-rss AAAAB3Nz…gq3OfrrRj4/+O8XC6XT9k= iphone-rsa-key-20151225

[root@satellite110 ~]#

I have a surface level knowledge of this and am trying to learn and
understand, but I’m not sure if I should disable that or just learn
how to implement a certificate on the server. If a cert is the right
way to go I can do that. If the status 5 error I was originally was
getting was just due to the client passing the SSH server the key,
plus the junk from the warnings, that would make sense why it rejects
the key, since it’s not the key, it’s the key + warning message
garbage - I hope I understand that properly, if not let me know.

Is there a way to permanently disable this or get it working for now
without the SSL?

Thanks,

Arthur

On Tuesday, December 29, 2015 at 12:47:45 PM UTC-7, Cornelius Kölbel wrote:
Hi Arthur,

    oh, no I understand. 
    This is a warning from the urllib3 library, that an https
    request is 
    performed without verifying the certificate. 
    
    To bad. Hm, we know that we are doing nasty stuff. All this
    software 
    that tries to educate us... 
    
    Try to run it this way: 
    
    PYTHONWARNINGS="ignore:Unverified HTTPS request" \   
       privacyidea-authorizedkeys root 
    
    Kind regards 
    Cornelius 
    
    
    Am Dienstag, den 29.12.2015, 11:42 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Cornelius, 
    > 
    > 
    > I tried with the --nosslcheck parameter at the command line,
    it gave 
    > the same output results: 
    > 
    > 
    > [root@satellite110 ~]# privacyidea-authorizedkeys
    --nosslcheck root 
    > 
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    > 
    >   InsecureRequestWarning) 
    > 
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    > 
    >   InsecureRequestWarning) 
    > 
    > ssh-rss AAAAB3NzaC1yc2EAAAAB.....XC6XT9k=
    iphone-rsa-key-20151225 
    > 
    > 
    > 
    > 
    > 
    > 
    > I am thinking of wiping and reinstalling the client server,
    maybe I 
    > installed incorrectly, or possibly disabling the warning
    message 
    > entirely. Any thoughts or suggestions on this? 
    > 
    > 
    > Thanks again for everything. 
    > 
    > 
    > Arthur 
    > 
    > On Tuesday, December 29, 2015 at 12:33:09 PM UTC-7, Cornelius Kölbel  wrote: 
    >         Hm, maybe the nosslcheck parameter in the config
    file is 
    >         broken 
    >         
    >         You can run at the commandline: 
    >         
    >         privacyidea-authorizedkeys --nosslcheck root 
    >         
    >         This should suppress the error message. 
    >         Just drop me a note, if it does. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Dienstag, den 29.12.2015, 11:21 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hi Cornelius, 
    >         > 
    >         > 
    >         > That makes sense about the log file. 
    >         > 
    >         > 
    >         > Just to clarify, for the nosslcheck = true option,
    is that 
    >         added to 
    >         > the client's config file 
    >         (/etc/privacyidea/authorizedkeyscommand), or 
    >         > to the SSH server, or both? 
    >         > 
    >         > 
    >         > I will work towards getting a certificate in
    place. I have 
    >         actually 
    >         > had nosslcheck = true part of my client's config
    file from 
    >         before I 
    >         > posted here, and it has always given that error
    message on 
    >         the output. 
    >         > Would I need to disable the SSL warning instead,
    or should 
    >         the 
    >         > nosslcheck prevent the warning from appearing? 
    >         > 
    >         > 
    >         > Here is my complete config file from the client 
    >         > (/etc/privacyidea/authorizedkeyscommand: 
    >         > 
    >         > 
    >         > [Default] 
    >         > 
    >         > url=https://<IP> 
    >         > 
    >         > admin=**** 
    >         > 
    >         > password=**** 
    >         > 
    >         > nosslcheck = True 
    >         > 
    >         > 
    >         > Thanks, 
    >         > 
    >         > 
    >         > Arthur 
    >         > 
    >         > 
    >         > On Tuesday, December 29, 2015 at 12:18:14 AM UTC-7,  Cornelius Kölbel  wrote: 
    >         >         Hi Arthur, 
    >         >         
    >         >         the privacyidea.log only exists on the
    privacyidea 
    >         server! 
    >         >         
    >         >         But the output of the command 
    >         >         
    >         >          privacyidea-authorizedkeys root 
    >         >         
    >         >         
    >         >         help. This command must only output the
    public ssh 
    >         keys. 
    >         >         The urllib warning will confuse the SSH
    server. So 
    >         we need to 
    >         >         avoid 
    >         >         these. 
    >         >         Either get a trusted SSL certificate to
    install on 
    >         your 
    >         >         privacyIDEA 
    >         >         server (recommended solution to avoid MitM
    attacks) 
    >         >         
    >         >         For now, you can add --nosslcheck as
    parameter or 
    >         add 
    >         >         
    >         >                 nosslcheck = True 
    >         >         
    >         >         to your config file. 
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         Am Montag, den 28.12.2015, 21:43 -0800 schrieb 
    >         >         arthur.s...@gmail.com: 
    >         >         > Hi Cornelius, 
    >         >         > 
    >         >         > 
    >         >         > Here is the output from the 
    >         'privacyidea-authorizedkeys 
    >         >         root' command: 
    >         >         > 
    >         >         > 
    >         >         > [root@satellite110 ~]#
    privacyidea-authorizedkeys 
    >         root 
    >         >         > 
    >         > 
    >
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    >         >         > 
    >         >         >   InsecureRequestWarning) 
    >         >         > 
    >         > 
    >
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    >         >         > 
    >         >         >   InsecureRequestWarning) 
    >         >         > 
    >         >         > ssh-rss 
    >         AAAAB3NzaC1yc2EAAAABJQAA.....3OfrrRj4/+O8XC6XT9k= 
    >         >         > iphone-rsa-key-20151225 
    >         >         > 
    >         >         > 
    >         >         > I figured the HTTPS error wasn't an
    issue and that 
    >         it should 
    >         >         still 
    >         >         > work from what I read at the
    security.html it 
    >         recommends 
    >         >         reading, but 
    >         >         > I may have read it wrong. 
    >         >         > 
    >         >         > 
    >         >         > Here is the log file from the SSH
    server: 
    >         >         > 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188] 
    >         >         > user u'root' found in resolver
    u'deflocal' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189] 
    >         >         > userid resolved to '0' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188] 
    >         >         > user u'root' found in resolver
    u'deflocal' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189] 
    >         >         > userid resolved to '0' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >
    00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         > 
    >         >         > 
    >         >         > Unfortunately I still don't 
    >         >         have /var/log/privacyidea/privacyidea.log 
    >         >         > file on the client machine that I am
    trying to SSH 
    >         into. I 
    >         >         did add a 
    >         >         > file there manually hoping it would
    maybe use it 
    >         after 
    >         >         running the 
    >         >         > 'privacyidea-authorizedkeys root'
    command, but the 
    >         file is 
    >         >         empty. 
    >         >         > 
    >         >         > 
    >         >         > I also edited the client's config file
    located 
    >         >         > in /etc/privacyidea/authorizedkeys and
    added these 
    >         lines: 
    >         >         > 
    >         >         > 
    >         >         > PI_LOGFILE = 
    >         "/var/log/privacyidea/privacyidea.log" 
    >         >         > 
    >         >         > PI_LOGLEVEL = 10 
    >         >         > 
    >         >         > 
    >         >         > I also added those same lines 
    >         >         to /usr/bin/privacyidea-authorizedkeys 
    >         >         > and changed DEBUG to true: 
    >         >         > 
    >         >         > 
    >         >         > VERSION = '2.4' 
    >         >         > 
    >         >         > DEBUG = True 
    >         >         > 
    >         >         > DESCRIPTION = __doc__ 
    >         >         > 
    >         >         > DEFAULT_CONFIG = 
    >         "/etc/privacyidea/authorizedkeyscommand" 
    >         >         > 
    >         >         > PI_LOGLEVEL = 10 
    >         >         > 
    >         >         > PI_LOGFILE = 
    >         "/var/log/privacyidea/privacyidea.log" 
    >         >         > 
    >         >         > 
    >         >         > Even with all the I'm still not seeing a
    log file 
    >         anywhere 
    >         >         on the 
    >         >         > client machine. I must be doing
    something wrong if 
    >         it isn't 
    >         >         generating 
    >         >         > one for us. 
    >         >         > 
    >         >         > 
    >         >         > I hope I am not tiring you, I apologize
    for my 
    >         ignorance 
    >         >         with this. 
    >         >         > The missing log file is perplexing me.
    Thank you 
    >         so much for 
    >         >         your time 
    >         >         > and help with this. 
    >         >         > 
    >         >         > 
    >         >         > Thanks, 
    >         >         > 
    >         >         > 
    >         >         > Arthur 
    >         >         > 
    >         >         > 
    >         >         > On Monday, December 28, 2015 at 2:15:30 AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         >         Hi Arthur, 
    >         >         >         
    >         >         >         you do not need the privacyidea
    server 
    >         software on 
    >         >         the client 
    >         >         >         (which in 
    >         >         >         this case is your SSH server). 
    >         >         >         
    >         >         >         On the client side you only
    need 
    >         >         privacyidea-authorizedkeys. 
    >         >         >         This script is located in the
    module 
    >         >         privacyideaadm. 
    >         >         >         
    >         >         >         You only need one config file: 
    >         >         > 
    >         > 
    >
    https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35 
    >         >         >         
    >         >         >         This should do it. 
    >         >         >         
    >         >         >         As you can run the command from
    the 
    >         command line 
    >         >         successfully, 
    >         >         >         it seems 
    >         >         >         fine. 
    >         >         >         
    >         >         >         Can you please send the very
    detailed 
    >         output/stdout 
    >         >         of the 
    >         >         >         command 
    >         >         >         
    >         >         >
    privacyidea-authorizedkeys root 
    >         >         >         
    >         >         >         (I want to make sure, that there
    is no 
    >         other 
    >         >         disturbing 
    >         >         >         output) 
    >         >         >         
    >         >         >         and send 
    >         the /var/log/privacyidea/privacyidea.log 
    >         >         file from 
    >         >         >         the event, 
    >         >         >         when tryping to ssh into the ssh
    server? 
    >         >         >         
    >         >         >         Thanks a lot 
    >         >         >         Cornelius 
    >         >         >         
    >         >         >         
    >         >         >         Am Sonntag, den 27.12.2015, 09:30 -0800  schrieb 
    >         >         >         arthur.s...@gmail.com: 
    >         >         >         > Hi Cornelius, 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I have the log and config file
    on the 
    >         PrivacyIdea 
    >         >         SSH 
    >         >         >         server, but on 
    >         >         >         > the client that I am trying to
    SSH into 
    >         (the one 
    >         >         giving the 
    >         >         >         status 5 
    >         >         >         > error), I don't have either
    file. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > On the client I ran this
    command to 
    >         install the 
    >         >         PrivacyIdea 
    >         >         >         admin 
    >         >         >         > client: 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > pip install privacyideaadm 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I used this guide when I
    installed 
    >         that: 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    https://www.howtoforge.com/tutorial/ssh-key-management-with-privacyidea/ 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Do I need to install the full 
    >         PrivacyIdea software 
    >         >         on the 
    >         >         >         client as 
    >         >         >         > well, or can I just define the
    config 
    >         file 
    >         >         according to the 
    >         >         >         > documentation with the admin
    client? Or 
    >         is the 
    >         >         config file 
    >         >         >         for the 
    >         >         >         > admin client located somewhere
    I'm not 
    >         looking? 
    >         >         I've looked 
    >         >         >         in the 
    >         >         >         > three places the documentation
    stated 
    >         that you 
    >         >         linked. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thank you so much for all your
    help, I 
    >         really 
    >         >         appreciate 
    >         >         >         it. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thanks, 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Arthur 
    >         >         >         > 
    >         >         >         > On Sunday, December 27, 2015 at 1:16:06  AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         >         >         Hallo Arthur, 
    >         >         >         >         
    >         >         >         >         can you please take a
    look into 
    >         the 
    >         >         privacyidea.log, 
    >         >         >         which is 
    >         >         >         >         usually 
    >         >         >         >         located 
    >         at /var/log/privacyidea/. 
    >         >         >         >         
    >         >         >         >         In the moment of
    authentication, 
    >         when sshd 
    >         >         calls 
    >         >         >         >
    "privacyidea-authorizedkeys", 
    >         this might 
    >         >         give us a 
    >         >         >         clue, what 
    >         >         >         >         happens in 
    >         >         >         >         this moment. 
    >         >         >         >         If needed please
    increase the 
    >         log level 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html 
    >         >         >         >         
    >         >         >         >         Kind regards 
    >         >         >         >         Cornelius 
    >         >         >         >         
    >         >         >         >         Am Samstag, den 26.12.2015,  09:22 -0800  schrieb 
    >         >         >         >
    arthur.s...@gmail.com: 
    >         >         >         >         > Hi Cornelius, 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Thanks for the quick
    reply! 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Here is a snippet of
    my 
    >         sshd_config file 
    >         >         in 
    >         >         >         regards to 
    >         >         >         >         authorizedkeys. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > # The default is to
    check 
    >         >         >         both .ssh/authorized_keys 
    >         >         >         >         >
    and .ssh/authorized_keys2 
    >         >         >         >         > 
    >         >         >         >         > # but this is
    overridden so 
    >         >         installations will 
    >         >         >         only 
    >         >         >         >         >
    check .ssh/authorized_keys 
    >         >         >         >         > 
    >         >         >         >         > 
    >         AuthorizedKeysFile .ssh/authorized_keys 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         >
    #AuthorizedPrincipalsFile 
    >         none 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         > 
    >         > 
    >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         >         > 
    >         >         >         >         >
    AuthorizedKeysCommandUser 
    >         root 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > I am running the
    command as 
    >         root, both 
    >         >         when 
    >         >         >         manually 
    >         >         >         >         checking and when 
    >         >         >         >         > connecting. The user
    that the 
    >         token is 
    >         >         attached to 
    >         >         >         on the 
    >         >         >         >         PrivacyIdea 
    >         >         >         >         > server side is also
    root. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Thanks! 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Arthur 
    >         >         >         >         > 
    >         >         >         >         > On Saturday, December 26, 2015  at  10:14:39 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         >         >         >         Hello
    Arthur, 
    >         >         >         >         >         
    >         >         >         >         >         are you
    running the 
    >         command as 
    >         >         the same 
    >         >         >         user? 
    >         >         >         >         >         
    >         >         >         >         >         I.e. when
    running 
    >         manually you 
    >         >         are running 
    >         >         >         as user 
    >         >         >         >         "root" I 
    >         >         >         >         >         suppose. 
    >         >         >         >         >         The command
    needs 
    >         access to the 
    >         >         >         configuration file. 
    >         >         >         >         So if the 
    >         >         >         >         >
    authorizedKeysCommand 
    >         is run as 
    >         >         another 
    >         >         >         user, you 
    >         >         >         >         might fail. 
    >         >         >         >         >         
    >         >         >         >         >         How does
    your 
    >         sshd_config look 
    >         >         like in 
    >         >         >         regards to 
    >         >         >         >         >
    authorizedkeys? 
    >         >         >         >         >         
    >         >         >         >         >         Kind
    regards 
    >         >         >         >         >         Cornelius 
    >         >         >         >         >         
    >         >         >         >         >         Am Samstag, den  26.12.2015,  08:03 -0800  schrieb 
    >         >         >         >         > 
    >         arthur.s...@gmail.com: 
    >         >         >         >         >         > Hello! 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > I am
    running into an 
    >         issue 
    >         >         trying to 
    >         >         >         setup 
    >         >         >         >         PrivacyIdea for 
    >         >         >         >         >         our system. 
    >         >         >         >         >         > I am
    hoping to use 
    >         this to 
    >         >         distribute 
    >         >         >         SSH keys to 
    >         >         >         >         our 
    >         >         >         >         >         servers from
    the 
    >         >         >         >         >         > one main
    PrivacyIdea 
    >         server 
    >         >         for each of 
    >         >         >         our agents 
    >         >         >         >         that log 
    >         >         >         >         >         into 
    >         >         >         >         >         > different
    servers. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > So far I
    have 
    >         installed the 
    >         >         Apache2 
    >         >         >         package on 
    >         >         >         >         Ubuntu 14.04, 
    >         >         >         >         >         added a 
    >         >         >         >         >         > realm and
    a token, 
    >         and 
    >         >         attached that 
    >         >         >         token to a 
    >         >         >         >         specific 
    >         >         >         >         >         machine.
    The 
    >         >         >         >         >         > server is
    currently 
    >         pointed 
    >         >         >         to /etc/passwd for the 
    >         >         >         >         users 
    >         >         >         >         >         list. I
    also 
    >         >         >         >         >         > have a
    machine 
    >         resolver 
    >         >         pointed 
    >         >         >         >         to /etc/mysshhosts. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > I have
    installed the 
    >         admin 
    >         >         client on the 
    >         >         >         server I 
    >         >         >         >         am wanting 
    >         >         >         >         >         to SSH 
    >         >         >         >         >         > into. I
    have added 
    >         the 
    >         >         [default] file 
    >         >         >         >         >         > 
    >         >         to /etc/privacyidea/authorizedkeys. I 
    >         >         >         have also 
    >         >         >         >         edited the 
    >         >         >         >         >         ssh_config 
    >         >         >         >         >         > file to
    add in the 
    >         >         authorizedkeyscommand 
    >         >         >         file and 
    >         >         >         >         user. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > From the
    client 
    >         system when 
    >         >         running 
    >         >         >         >         > 
    >         "privacyidea-authorizedkeys 
    >         >         root", 
    >         >         >         >         >         > it
    successfully 
    >         returns the 
    >         >         correct SSH 
    >         >         >         key from 
    >         >         >         >         the main 
    >         >         >         >         >         server. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > When I try
    to login 
    >         from the 
    >         >         device with 
    >         >         >         said SSH 
    >         >         >         >         key, it 
    >         >         >         >         >         says the 
    >         >         >         >         >         > server
    refused the 
    >         key and 
    >         >         prompts for 
    >         >         >         the 
    >         >         >         >         password. When 
    >         >         >         >         >         running
    SSHD 
    >         >         >         >         >         > in debug
    mode, I am 
    >         getting 
    >         >         this error: 
    >         >         >         "error: 
    >         >         >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         >         >         root
    failed, 
    >         >         >         >         >         > status 5" 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > I have
    tried to find 
    >         what this 
    >         >         error 
    >         >         >         status 5 
    >         >         >         >         means but 
    >         >         >         >         >         cannot find 
    >         >         >         >         >         > any
    information. I 
    >         can provide 
    >         >         more 
    >         >         >         information if 
    >         >         >         >         needed. I 
    >         >         >         >         >         have used 
    >         >         >         >         >         > various
    guides from 
    >         >         howtoforge, and 
    >         >         >         information 
    >         >         >         >         from the 
    >         >         >         >         >         PrivacyIdea 
    >         >         >         >         >         >
    documentation, as 
    >         well as this 
    >         >         group, to 
    >         >         >         install 
    >         >         >         >         and 
    >         >         >         >         >         configure
    the 
    >         >         >         >         >         > software.
    There very 
    >         well may 
    >         >         be 
    >         >         >         mistakes along 
    >         >         >         >         the way I 
    >         >         >         >         >         have made
    as 
    >         >         >         >         >         > I am still
    learning 
    >         the 
    >         >         software. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > Any help
    and 
    >         guidance is 
    >         >         greatly 
    >         >         >         appreciated. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > Thanks! 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > Arthur 
    >         >         >         >         >         > -- 
    >         >         >         >         >         > You
    received this 
    >         message 
    >         >         because you 
    >         >         >         are 
    >         >         >         >         subscribed to the 
    >         >         >         >         >         Google 
    >         >         >         >         >         > Groups
    "privacyidea" 
    >         group. 
    >         >         >         >         >         > To
    unsubscribe from 
    >         this group 
    >         >         and stop 
    >         >         >         receiving 
    >         >         >         >         emails 
    >         >         >         >         >         from it,
    send 
    >         >         >         >         >         > an email
    to 
    >         >         >
    privacyidea...@googlegroups.com. 
    >         >         >         >         >         > To post to
    this 
    >         group, send 
    >         >         email to 
    >         >         >         >         > 
    >         priva...@googlegroups.com. 
    >         >         >         >         >         > To view
    this 
    >         discussion on the 
    >         >         web 
    >         >         >         visit 
    >         >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com. 
    >         >         >         >         >         > For more
    options, 
    >         visit 
    >         >         >         > 
    >         https://groups.google.com/d/optout. 
    >         >         >         >         >         
    >         >         >         >         >         -- 
    >         >         >         >         >         Cornelius
    Kölbel 
    >         >         >         >         > 
    >         corneliu...@netknights.it 
    >         >         >         >         >         +49 151 2960
    1417 
    >         >         >         >         >         
    >         >         >         >         >         NetKnights
    GmbH 
    >         >         >         >         > 
    >         http://www.netknights.it 
    >         >         >         >         >
    Landgraf-Karl-Str. 19, 
    >         34131 
    >         >         Kassel, 
    >         >         >         Germany 
    >         >         >         >         >         Tel: +49 561
    3166797, 
    >         Fax: +49 
    >         >         561 
    >         >         >         3166798 
    >         >         >         >         >         
    >         >         >         >         >         Amtsgericht
    Kassel, 
    >         HRB 16405 
    >         >         >         >         >
    Geschäftsführer: 
    >         Cornelius 
    >         >         Kölbel 
    >         >         >         >         >         
    >         >         >         >         >         
    >         >         >         >         > -- 
    >         >         >         >         > You received this
    message 
    >         because you 
    >         >         are 
    >         >         >         subscribed to the 
    >         >         >         >         Google 
    >         >         >         >         > Groups "privacyidea"
    group. 
    >         >         >         >         > To unsubscribe from
    this group 
    >         and stop 
    >         >         receiving 
    >         >         >         emails 
    >         >         >         >         from it, send 
    >         >         >         >         > an email to 
    >         >         privacyidea...@googlegroups.com. 
    >         >         >         >         > To post to this
    group, send 
    >         email to 
    >         >         >         >
    priva...@googlegroups.com. 
    >         >         >         >         > To view this
    discussion on the 
    >         web 
    >         >         visit 
    >         >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com. 
    >         >         >         >         > For more options,
    visit 
    >         >         >
    https://groups.google.com/d/optout. 
    >         >         >         >         
    >         >         >         >         -- 
    >         >         >         >         Cornelius Kölbel 
    >         >         >         >
    corneliu...@netknights.it 
    >         >         >         >         +49 151 2960 1417 
    >         >         >         >         
    >         >         >         >         NetKnights GmbH 
    >         >         >         >
    http://www.netknights.it 
    >         >         >         >         Landgraf-Karl-Str. 19,
    34131 
    >         Kassel, 
    >         >         Germany 
    >         >         >         >         Tel: +49 561 3166797,
    Fax: +49 
    >         561 
    >         >         3166798 
    >         >         >         >         
    >         >         >         >         Amtsgericht Kassel,
    HRB 16405 
    >         >         >         >         Geschäftsführer:
    Cornelius 
    >         Kölbel 
    >         >         >         >         
    >         >         >         >         
    >         >         >         > -- 
    >         >         >         > You received this message
    because you 
    >         are 
    >         >         subscribed to the 
    >         >         >         Google 
    >         >         >         > Groups "privacyidea" group. 
    >         >         >         > To unsubscribe from this group
    and stop 
    >         receiving 
    >         >         emails 
    >         >         >         from it, send 
    >         >         >         > an email to 
    >         privacyidea...@googlegroups.com. 
    >         >         >         > To post to this group, send
    email to 
    >         >         >         priva...@googlegroups.com. 
    >         >         >         > To view this discussion on the
    web 
    >         visit 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/70d9e885-5ba9-4718-886d-eebe71587085%40googlegroups.com. 
    >         >         >         > For more options, visit 
    >         >         https://groups.google.com/d/optout. 
    >         >         >         
    >         >         >         -- 
    >         >         >         Cornelius Kölbel 
    >         >         >         corneliu...@netknights.it 
    >         >         >         +49 151 2960 1417 
    >         >         >         
    >         >         >         NetKnights GmbH 
    >         >         >         http://www.netknights.it 
    >         >         >         Landgraf-Karl-Str. 19, 34131
    Kassel, 
    >         Germany 
    >         >         >         Tel: +49 561 3166797, Fax: +49
    561 
    >         3166798 
    >         >         >         
    >         >         >         Amtsgericht Kassel, HRB 16405 
    >         >         >         Geschäftsführer: Cornelius
    Kölbel 
    >         >         >         
    >         >         >         
    >         >         > -- 
    >         >         > You received this message because you
    are 
    >         subscribed to the 
    >         >         Google 
    >         >         > Groups "privacyidea" group. 
    >         >         > To unsubscribe from this group and stop
    receiving 
    >         emails 
    >         >         from it, send 
    >         >         > an email to
    privacyidea...@googlegroups.com. 
    >         >         > To post to this group, send email to 
    >         >         priva...@googlegroups.com. 
    >         >         > To view this discussion on the web
    visit 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/731b0af5-1bde-45b4-b777-69400c7517f8%40googlegroups.com. 
    >         >         > For more options, visit 
    >         https://groups.google.com/d/optout. 
    >         >         
    >         >         -- 
    >         >         Cornelius Kölbel 
    >         >         corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://www.netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         > -- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >         https://groups.google.com/d/msgid/privacyidea...

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/f4d591b0-24b4-4a63-a145-b9b94493e12d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

arthur.schoenfeld · December 29, 2015, 7:42pm

Cornelius,

I tried with the --nosslcheck parameter at the command line, it gave the
same output results:

[root@satellite110 ~]# privacyidea-authorizedkeys --nosslcheck root

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:

InsecureRequestWarning)

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:

InsecureRequestWarning)

ssh-rss AAAAB3NzaC1yc2EAAAAB…XC6XT9k= iphone-rsa-key-20151225

I am thinking of wiping and reinstalling the client server, maybe I
installed incorrectly, or possibly disabling the warning message entirely.
Any thoughts or suggestions on this?

Thanks again for everything.

ArthurOn Tuesday, December 29, 2015 at 12:33:09 PM UTC-7, Cornelius Kölbel wrote:

Hm, maybe the nosslcheck parameter in the config file is broken

You can run at the commandline:

privacyidea-authorizedkeys --nosslcheck root

This should suppress the error message.
Just drop me a note, if it does.

Kind regards
Cornelius

Am Dienstag, den 29.12.2015, 11:21 -0800 schrieb
arthur.s...@gmail.com <javascript:>:

Hi Cornelius,

That makes sense about the log file.

Just to clarify, for the nosslcheck = true option, is that added to
the client’s config file (/etc/privacyidea/authorizedkeyscommand), or
to the SSH server, or both?

I will work towards getting a certificate in place. I have actually
had nosslcheck = true part of my client’s config file from before I
posted here, and it has always given that error message on the output.
Would I need to disable the SSL warning instead, or should the
nosslcheck prevent the warning from appearing?

Here is my complete config file from the client
(/etc/privacyidea/authorizedkeyscommand:

[Default]

url=https://

admin=****

password=****

nosslcheck = True

Thanks,

Arthur

On Tuesday, December 29, 2015 at 12:18:14 AM UTC-7, Cornelius Kölbel wrote:
Hi Arthur,
    the privacyidea.log only exists on the privacyidea server! 
    
    But the output of the command 
    
     privacyidea-authorizedkeys root 
    
    
    help. This command must only output the public ssh keys. 
    The urllib warning will confuse the SSH server. So we need to 
    avoid 
    these. 
    Either get a trusted SSL certificate to install on your 
    privacyIDEA 
    server (recommended solution to avoid MitM attacks) 
    
    For now, you can add --nosslcheck as parameter or add 
    
            nosslcheck = True 
    
    to your config file. 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 28.12.2015, 21:43 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hi Cornelius, 
    > 
    > 
    > Here is the output from the 'privacyidea-authorizedkeys 
    root' command: 
    > 
    > 
    > [root@satellite110 ~]# privacyidea-authorizedkeys root 
    > 
    > 

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

    > 
    >   InsecureRequestWarning) 
    > 
    >

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

    > 
    >   InsecureRequestWarning) 
    > 
    > ssh-rss AAAAB3NzaC1yc2EAAAABJQAA.....3OfrrRj4/+O8XC6XT9k= 
    > iphone-rsa-key-20151225 
    > 
    > 
    > I figured the HTTPS error wasn't an issue and that it should 
    still 
    > work from what I read at the security.html it recommends 
    reading, but 
    > I may have read it wrong. 
    > 
    > 
    > Here is the log file from the SSH server: 
    > 
    > 
    > [2015-12-29 
    >

00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188]

    > user u'root' found in resolver u'deflocal' 
    > 
    > [2015-12-29 
    >

00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189]

    > userid resolved to '0' 
    > 
    > [2015-12-29 
    >

00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188]

    > user u'root' found in resolver u'deflocal' 
    > 
    > [2015-12-29 
    >

00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189]

    > userid resolved to '0' 
    > 
    > [2015-12-29 
    >

00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > 
    > Unfortunately I still don't 
    have /var/log/privacyidea/privacyidea.log 
    > file on the client machine that I am trying to SSH into. I 
    did add a 
    > file there manually hoping it would maybe use it after 
    running the 
    > 'privacyidea-authorizedkeys root' command, but the file is 
    empty. 
    > 
    > 
    > I also edited the client's config file located 
    > in /etc/privacyidea/authorizedkeys and added these lines: 
    > 
    > 
    > PI_LOGFILE = "/var/log/privacyidea/privacyidea.log" 
    > 
    > PI_LOGLEVEL = 10 
    > 
    > 
    > I also added those same lines 
    to /usr/bin/privacyidea-authorizedkeys 
    > and changed DEBUG to true: 
    > 
    > 
    > VERSION = '2.4' 
    > 
    > DEBUG = True 
    > 
    > DESCRIPTION = __doc__ 
    > 
    > DEFAULT_CONFIG = "/etc/privacyidea/authorizedkeyscommand" 
    > 
    > PI_LOGLEVEL = 10 
    > 
    > PI_LOGFILE = "/var/log/privacyidea/privacyidea.log" 
    > 
    > 
    > Even with all the I'm still not seeing a log file anywhere 
    on the 
    > client machine. I must be doing something wrong if it isn't 
    generating 
    > one for us. 
    > 
    > 
    > I hope I am not tiring you, I apologize for my ignorance 
    with this. 
    > The missing log file is perplexing me. Thank you so much for 
    your time 
    > and help with this. 
    > 
    > 
    > Thanks, 
    > 
    > 
    > Arthur 
    > 
    > 
    > On Monday, December 28, 2015 at 2:15:30 AM UTC-7, Cornelius  Kölbel  wrote: 
    >         Hi Arthur, 
    >         
    >         you do not need the privacyidea server software on 
    the client 
    >         (which in 
    >         this case is your SSH server). 
    >         
    >         On the client side you only need 
    privacyidea-authorizedkeys. 
    >         This script is located in the module 
    privacyideaadm. 
    >         
    >         You only need one config file: 
    >

https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35

    >         
    >         This should do it. 
    >         
    >         As you can run the command from the command line 
    successfully, 
    >         it seems 
    >         fine. 
    >         
    >         Can you please send the very detailed output/stdout 
    of the 
    >         command 
    >         
    >                 privacyidea-authorizedkeys root 
    >         
    >         (I want to make sure, that there is no other 
    disturbing 
    >         output) 
    >         
    >         and send the /var/log/privacyidea/privacyidea.log 
    file from 
    >         the event, 
    >         when tryping to ssh into the ssh server? 
    >         
    >         Thanks a lot 
    >         Cornelius 
    >         
    >         
    >         Am Sonntag, den 27.12.2015, 09:30 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hi Cornelius, 
    >         > 
    >         > 
    >         > I have the log and config file on the PrivacyIdea 
    SSH 
    >         server, but on 
    >         > the client that I am trying to SSH into (the one 
    giving the 
    >         status 5 
    >         > error), I don't have either file. 
    >         > 
    >         > 
    >         > On the client I ran this command to install the 
    PrivacyIdea 
    >         admin 
    >         > client: 
    >         > 
    >         > 
    >         > pip install privacyideaadm 
    >         > 
    >         > 
    >         > 
    >         > I used this guide when I installed that: 
    >         > 
    >         > 
    >         > 
    >

SSH Key Management with privacyIDEA

    >         > 
    >         > 
    >         > 
    >         > Do I need to install the full PrivacyIdea software 
    on the 
    >         client as 
    >         > well, or can I just define the config file 
    according to the 
    >         > documentation with the admin client? Or is the 
    config file 
    >         for the 
    >         > admin client located somewhere I'm not looking? 
    I've looked 
    >         in the 
    >         > three places the documentation stated that you 
    linked. 
    >         > 
    >         > 
    >         > Thank you so much for all your help, I really 
    appreciate 
    >         it. 
    >         > 
    >         > 
    >         > Thanks, 
    >         > 
    >         > 
    >         > Arthur 
    >         > 
    >         > On Sunday, December 27, 2015 at 1:16:06 AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         Hallo Arthur, 
    >         >         
    >         >         can you please take a look into the 
    privacyidea.log, 
    >         which is 
    >         >         usually 
    >         >         located at /var/log/privacyidea/. 
    >         >         
    >         >         In the moment of authentication, when sshd 
    calls 
    >         >         "privacyidea-authorizedkeys", this might 
    give us a 
    >         clue, what 
    >         >         happens in 
    >         >         this moment. 
    >         >         If needed please increase the log level 
    >         > 
    >

2.6. Debugging and Logging — privacyIDEA 3.8 documentation

    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         Am Samstag, den 26.12.2015, 09:22 -0800  schrieb 
    >         >         arthur.s...@gmail.com: 
    >         >         > Hi Cornelius, 
    >         >         > 
    >         >         > 
    >         >         > Thanks for the quick reply! 
    >         >         > 
    >         >         > 
    >         >         > Here is a snippet of my sshd_config file 
    in 
    >         regards to 
    >         >         authorizedkeys. 
    >         >         > 
    >         >         > 
    >         >         > # The default is to check 
    >         both .ssh/authorized_keys 
    >         >         > and .ssh/authorized_keys2 
    >         >         > 
    >         >         > # but this is overridden so 
    installations will 
    >         only 
    >         >         > check .ssh/authorized_keys 
    >         >         > 
    >         >         > AuthorizedKeysFile .ssh/authorized_keys 
    >         >         > 
    >         >         > 
    >         >         > #AuthorizedPrincipalsFile none 
    >         >         > 
    >         >         > 
    >         >         > 
    > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         > 
    >         >         > AuthorizedKeysCommandUser root 
    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > I am running the command as root, both 
    when 
    >         manually 
    >         >         checking and when 
    >         >         > connecting. The user that the token is 
    attached to 
    >         on the 
    >         >         PrivacyIdea 
    >         >         > server side is also root. 
    >         >         > 
    >         >         > 
    >         >         > Thanks! 
    >         >         > 
    >         >         > 
    >         >         > Arthur 
    >         >         > 
    >         >         > On Saturday, December 26, 2015 at  10:14:39 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         >         Hello Arthur, 
    >         >         >         
    >         >         >         are you running the command as 
    the same 
    >         user? 
    >         >         >         
    >         >         >         I.e. when running manually you 
    are running 
    >         as user 
    >         >         "root" I 
    >         >         >         suppose. 
    >         >         >         The command needs access to the 
    >         configuration file. 
    >         >         So if the 
    >         >         >         authorizedKeysCommand is run as 
    another 
    >         user, you 
    >         >         might fail. 
    >         >         >         
    >         >         >         How does your sshd_config look 
    like in 
    >         regards to 
    >         >         >         authorizedkeys? 
    >         >         >         
    >         >         >         Kind regards 
    >         >         >         Cornelius 
    >         >         >         
    >         >         >         Am Samstag, den 26.12.2015,  08:03 -0800  schrieb 
    >         >         >         arthur.s...@gmail.com: 
    >         >         >         > Hello! 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I am running into an issue 
    trying to 
    >         setup 
    >         >         PrivacyIdea for 
    >         >         >         our system. 
    >         >         >         > I am hoping to use this to 
    distribute 
    >         SSH keys to 
    >         >         our 
    >         >         >         servers from the 
    >         >         >         > one main PrivacyIdea server 
    for each of 
    >         our agents 
    >         >         that log 
    >         >         >         into 
    >         >         >         > different servers. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > So far I have installed the 
    Apache2 
    >         package on 
    >         >         Ubuntu 14.04, 
    >         >         >         added a 
    >         >         >         > realm and a token, and 
    attached that 
    >         token to a 
    >         >         specific 
    >         >         >         machine. The 
    >         >         >         > server is currently pointed 
    >         to /etc/passwd for the 
    >         >         users 
    >         >         >         list. I also 
    >         >         >         > have a machine resolver 
    pointed 
    >         >         to /etc/mysshhosts. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I have installed the admin 
    client on the 
    >         server I 
    >         >         am wanting 
    >         >         >         to SSH 
    >         >         >         > into. I have added the 
    [default] file 
    >         >         >         > 
    to /etc/privacyidea/authorizedkeys. I 
    >         have also 
    >         >         edited the 
    >         >         >         ssh_config 
    >         >         >         > file to add in the 
    authorizedkeyscommand 
    >         file and 
    >         >         user. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > From the client system when 
    running 
    >         >         >         "privacyidea-authorizedkeys 
    root", 
    >         >         >         > it successfully returns the 
    correct SSH 
    >         key from 
    >         >         the main 
    >         >         >         server. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > When I try to login from the 
    device with 
    >         said SSH 
    >         >         key, it 
    >         >         >         says the 
    >         >         >         > server refused the key and 
    prompts for 
    >         the 
    >         >         password. When 
    >         >         >         running SSHD 
    >         >         >         > in debug mode, I am getting 
    this error: 
    >         "error: 
    >         >         >         > 
    >         > 
    > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         root failed, 
    >         >         >         > status 5" 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I have tried to find what this 
    error 
    >         status 5 
    >         >         means but 
    >         >         >         cannot find 
    >         >         >         > any information. I can provide 
    more 
    >         information if 
    >         >         needed. I 
    >         >         >         have used 
    >         >         >         > various guides from 
    howtoforge, and 
    >         information 
    >         >         from the 
    >         >         >         PrivacyIdea 
    >         >         >         > documentation, as well as this 
    group, to 
    >         install 
    >         >         and 
    >         >         >         configure the 
    >         >         >         > software. There very well may 
    be 
    >         mistakes along 
    >         >         the way I 
    >         >         >         have made as 
    >         >         >         > I am still learning the 
    software. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Any help and guidance is 
    greatly 
    >         appreciated. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thanks! 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Arthur 
    >         >         >         > -- 
    >         >         >         > You received this message 
    because you 
    >         are 
    >         >         subscribed to the 
    >         >         >         Google 
    >         >         >         > Groups "privacyidea" group. 
    >         >         >         > To unsubscribe from this group 
    and stop 
    >         receiving 
    >         >         emails 
    >         >         >         from it, send 
    >         >         >         > an email to 
    >         privacyidea...@googlegroups.com. 
    >         >         >         > To post to this group, send 
    email to 
    >         >         >         priva...@googlegroups.com. 
    >         >         >         > To view this discussion on the 
    web 
    >         visit 
    >         >         >         > 
    >         >         > 
    >         > 
    >

https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com.

    >         >         >         > For more options, visit 
    >         >         https://groups.google.com/d/optout. 
    >         >         >         
    >         >         >         -- 
    >         >         >         Cornelius Kölbel 
    >         >         >         corneliu...@netknights.it 
    >         >         >         +49 151 2960 1417 
    >         >         >         
    >         >         >         NetKnights GmbH 
    >         >         >         http://www.netknights.it 
    >         >         >         Landgraf-Karl-Str. 19, 34131 
    Kassel, 
    >         Germany 
    >         >         >         Tel: +49 561 3166797, Fax: +49 
    561 
    >         3166798 
    >         >         >         
    >         >         >         Amtsgericht Kassel, HRB 16405 
    >         >         >         Geschäftsführer: Cornelius 
    Kölbel 
    >         >         >         
    >         >         >         
    >         >         > -- 
    >         >         > You received this message because you 
    are 
    >         subscribed to the 
    >         >         Google 
    >         >         > Groups "privacyidea" group. 
    >         >         > To unsubscribe from this group and stop 
    receiving 
    >         emails 
    >         >         from it, send 
    >         >         > an email to 
    privacyidea...@googlegroups.com. 
    >         >         > To post to this group, send email to 
    >         >         priva...@googlegroups.com. 
    >         >         > To view this discussion on the web 
    visit 
    >         >         > 
    >         > 
    >

https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com.

    >         >         > For more options, visit 
    >         https://groups.google.com/d/optout. 
    >         >         
    >         >         -- 
    >         >         Cornelius Kölbel 
    >         >         corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://www.netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         > -- 
    >         > You received this message because you are 
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving 
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >

https://groups.google.com/d/msgid/privacyidea/70d9e885-5ba9-4718-886d-eebe71587085%40googlegroups.com.

    >         > For more options, visit 
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >

https://groups.google.com/d/msgid/privacyidea/731b0af5-1bde-45b4-b777-69400c7517f8%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/5ed90dcf-d0ee-455a-bc2d-f957e4bb9d4e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

arthur.schoenfeld · December 29, 2015, 7:48pm

Also, here is some of the information from the audit of the PrivacyIdea SSH
Server. This was after trying to connect to the client machine with my
device:

‘internal admin’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘184’,‘’,‘None’,‘POST /auth’,‘OK’,‘’,‘None’,‘’,‘2015-12-29T04:00:18’,‘None’,‘None’
‘host: satellite110, application: ssh’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘185’,‘’,‘None’,‘GET /machine/authitem/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T04:00:18’,‘None’,‘None’
‘internal admin’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘186’,‘’,‘None’,‘POST /auth’,‘OK’,‘’,‘None’,‘’,‘2015-12-29T14:35:17’,‘None’,‘None’
‘host: satellite110, application: ssh’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘187’,‘’,‘None’,‘GET /machine/authitem/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T14:35:17’,‘None’,‘None’
‘internal admin’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘188’,‘’,‘None’,‘POST /auth’,‘OK’,‘’,‘None’,‘’,‘2015-12-29T14:43:54’,‘None’,‘None’
‘realm: [’*‘]’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘189’,‘’,‘None’,‘GET /token/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T14:43:55’,‘None’,‘’
‘’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘190’,‘’,‘None’,‘GET /realm/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T14:43:55’,‘None’,‘None’
‘’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘191’,‘’,‘None’,‘GET /audit/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T14:43:57’,‘None’,'’
‘’,‘admin’,‘None’,‘1’,‘’,‘FAIL’,‘192’,‘’,‘None’,‘GET /audit/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T14:44:19’,‘None’,‘None’

I changed the IP addresses to , otherwise everything is the same. Not
sure if this helps at all.

Thanks,

ArthurOn Tuesday, December 29, 2015 at 12:42:06 PM UTC-7, arthur.s...@gmail.com wrote:

Cornelius,

I tried with the --nosslcheck parameter at the command line, it gave the
same output results:

[root@satellite110 ~]# privacyidea-authorizedkeys --nosslcheck root

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

InsecureRequestWarning)

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

InsecureRequestWarning)

ssh-rss AAAAB3NzaC1yc2EAAAAB…XC6XT9k= iphone-rsa-key-20151225

I am thinking of wiping and reinstalling the client server, maybe I
installed incorrectly, or possibly disabling the warning message entirely.
Any thoughts or suggestions on this?

Thanks again for everything.

Arthur

On Tuesday, December 29, 2015 at 12:33:09 PM UTC-7, Cornelius Kölbel wrote:

Hm, maybe the nosslcheck parameter in the config file is broken

You can run at the commandline:

privacyidea-authorizedkeys --nosslcheck root

This should suppress the error message.
Just drop me a note, if it does.

Kind regards
Cornelius

Am Dienstag, den 29.12.2015, 11:21 -0800 schrieb
arthur.s...@gmail.com:

Hi Cornelius,

That makes sense about the log file.

Just to clarify, for the nosslcheck = true option, is that added to
the client’s config file (/etc/privacyidea/authorizedkeyscommand), or
to the SSH server, or both?

I will work towards getting a certificate in place. I have actually
had nosslcheck = true part of my client’s config file from before I
posted here, and it has always given that error message on the output.
Would I need to disable the SSL warning instead, or should the
nosslcheck prevent the warning from appearing?

Here is my complete config file from the client
(/etc/privacyidea/authorizedkeyscommand:

[Default]

url=https://

admin=****

password=****

nosslcheck = True

Thanks,

Arthur

On Tuesday, December 29, 2015 at 12:18:14 AM UTC-7, Cornelius Kölbel wrote:
Hi Arthur,
    the privacyidea.log only exists on the privacyidea server! 
    
    But the output of the command 
    
     privacyidea-authorizedkeys root 
    
    
    help. This command must only output the public ssh keys. 
    The urllib warning will confuse the SSH server. So we need to 
    avoid 
    these. 
    Either get a trusted SSL certificate to install on your 
    privacyIDEA 
    server (recommended solution to avoid MitM attacks) 
    
    For now, you can add --nosslcheck as parameter or add 
    
            nosslcheck = True 
    
    to your config file. 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 28.12.2015, 21:43 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hi Cornelius, 
    > 
    > 
    > Here is the output from the 'privacyidea-authorizedkeys 
    root' command: 
    > 
    > 
    > [root@satellite110 ~]# privacyidea-authorizedkeys root 
    > 
    > 

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

    > 
    >   InsecureRequestWarning) 
    > 
    >

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

    > 
    >   InsecureRequestWarning) 
    > 
    > ssh-rss AAAAB3NzaC1yc2EAAAABJQAA.....3OfrrRj4/+O8XC6XT9k= 
    > iphone-rsa-key-20151225 
    > 
    > 
    > I figured the HTTPS error wasn't an issue and that it should 
    still 
    > work from what I read at the security.html it recommends 
    reading, but 
    > I may have read it wrong. 
    > 
    > 
    > Here is the log file from the SSH server: 
    > 
    > 
    > [2015-12-29 
    >

00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188]

    > user u'root' found in resolver u'deflocal' 
    > 
    > [2015-12-29 
    >

00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189]

    > userid resolved to '0' 
    > 
    > [2015-12-29 
    >

00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188]

    > user u'root' found in resolver u'deflocal' 
    > 
    > [2015-12-29 
    >

00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189]

    > userid resolved to '0' 
    > 
    > [2015-12-29 
    >

00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > [2015-12-29 
    >

00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    > 
    > 
    > Unfortunately I still don't 
    have /var/log/privacyidea/privacyidea.log 
    > file on the client machine that I am trying to SSH into. I 
    did add a 
    > file there manually hoping it would maybe use it after 
    running the 
    > 'privacyidea-authorizedkeys root' command, but the file is 
    empty. 
    > 
    > 
    > I also edited the client's config file located 
    > in /etc/privacyidea/authorizedkeys and added these lines: 
    > 
    > 
    > PI_LOGFILE = "/var/log/privacyidea/privacyidea.log" 
    > 
    > PI_LOGLEVEL = 10 
    > 
    > 
    > I also added those same lines 
    to /usr/bin/privacyidea-authorizedkeys 
    > and changed DEBUG to true: 
    > 
    > 
    > VERSION = '2.4' 
    > 
    > DEBUG = True 
    > 
    > DESCRIPTION = __doc__ 
    > 
    > DEFAULT_CONFIG = "/etc/privacyidea/authorizedkeyscommand" 
    > 
    > PI_LOGLEVEL = 10 
    > 
    > PI_LOGFILE = "/var/log/privacyidea/privacyidea.log" 
    > 
    > 
    > Even with all the I'm still not seeing a log file anywhere 
    on the 
    > client machine. I must be doing something wrong if it isn't 
    generating 
    > one for us. 
    > 
    > 
    > I hope I am not tiring you, I apologize for my ignorance 
    with this. 
    > The missing log file is perplexing me. Thank you so much for 
    your time 
    > and help with this. 
    > 
    > 
    > Thanks, 
    > 
    > 
    > Arthur 
    > 
    > 
    > On Monday, December 28, 2015 at 2:15:30 AM UTC-7, Cornelius  Kölbel  wrote: 
    >         Hi Arthur, 
    >         
    >         you do not need the privacyidea server software on 
    the client 
    >         (which in 
    >         this case is your SSH server). 
    >         
    >         On the client side you only need 
    privacyidea-authorizedkeys. 
    >         This script is located in the module 
    privacyideaadm. 
    >         
    >         You only need one config file: 
    >

https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35

    >         
    >         This should do it. 
    >         
    >         As you can run the command from the command line 
    successfully, 
    >         it seems 
    >         fine. 
    >         
    >         Can you please send the very detailed output/stdout 
    of the 
    >         command 
    >         
    >                 privacyidea-authorizedkeys root 
    >         
    >         (I want to make sure, that there is no other 
    disturbing 
    >         output) 
    >         
    >         and send the /var/log/privacyidea/privacyidea.log 
    file from 
    >         the event, 
    >         when tryping to ssh into the ssh server? 
    >         
    >         Thanks a lot 
    >         Cornelius 
    >         
    >         
    >         Am Sonntag, den 27.12.2015, 09:30 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hi Cornelius, 
    >         > 
    >         > 
    >         > I have the log and config file on the PrivacyIdea 
    SSH 
    >         server, but on 
    >         > the client that I am trying to SSH into (the one 
    giving the 
    >         status 5 
    >         > error), I don't have either file. 
    >         > 
    >         > 
    >         > On the client I ran this command to install the 
    PrivacyIdea 
    >         admin 
    >         > client: 
    >         > 
    >         > 
    >         > pip install privacyideaadm 
    >         > 
    >         > 
    >         > 
    >         > I used this guide when I installed that: 
    >         > 
    >         > 
    >         > 
    >

SSH Key Management with privacyIDEA

    >         > 
    >         > 
    >         > 
    >         > Do I need to install the full PrivacyIdea software 
    on the 
    >         client as 
    >         > well, or can I just define the config file 
    according to the 
    >         > documentation with the admin client? Or is the 
    config file 
    >         for the 
    >         > admin client located somewhere I'm not looking? 
    I've looked 
    >         in the 
    >         > three places the documentation stated that you 
    linked. 
    >         > 
    >         > 
    >         > Thank you so much for all your help, I really 
    appreciate 
    >         it. 
    >         > 
    >         > 
    >         > Thanks, 
    >         > 
    >         > 
    >         > Arthur 
    >         > 
    >         > On Sunday, December 27, 2015 at 1:16:06 AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         Hallo Arthur, 
    >         >         
    >         >         can you please take a look into the 
    privacyidea.log, 
    >         which is 
    >         >         usually 
    >         >         located at /var/log/privacyidea/. 
    >         >         
    >         >         In the moment of authentication, when sshd 
    calls 
    >         >         "privacyidea-authorizedkeys", this might 
    give us a 
    >         clue, what 
    >         >         happens in 
    >         >         this moment. 
    >         >         If needed please increase the log level 
    >         > 
    >

2.6. Debugging and Logging — privacyIDEA 3.8 documentation

    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         Am Samstag, den 26.12.2015, 09:22 -0800  schrieb 
    >         >         arthur.s...@gmail.com: 
    >         >         > Hi Cornelius, 
    >         >         > 
    >         >         > 
    >         >         > Thanks for the quick reply! 
    >         >         > 
    >         >         > 
    >         >         > Here is a snippet of my sshd_config file 
    in 
    >         regards to 
    >         >         authorizedkeys. 
    >         >         > 
    >         >         > 
    >         >         > # The default is to check 
    >         both .ssh/authorized_keys 
    >         >         > and .ssh/authorized_keys2 
    >         >         > 
    >         >         > # but this is overridden so 
    installations will 
    >         only 
    >         >         > check .ssh/authorized_keys 
    >         >         > 
    >         >         > AuthorizedKeysFile .ssh/authorized_keys 
    >         >         > 
    >         >         > 
    >         >         > #AuthorizedPrincipalsFile none 
    >         >         > 
    >         >         > 
    >         >         > 
    > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         > 
    >         >         > AuthorizedKeysCommandUser root 
    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > I am running the command as root, both 
    when 
    >         manually 
    >         >         checking and when 
    >         >         > connecting. The user that the token is 
    attached to 
    >         on the 
    >         >         PrivacyIdea 
    >         >         > server side is also root. 
    >         >         > 
    >         >         > 
    >         >         > Thanks! 
    >         >         > 
    >         >         > 
    >         >         > Arthur 
    >         >         > 
    >         >         > On Saturday, December 26, 2015 at  10:14:39 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         >         Hello Arthur, 
    >         >         >         
    >         >         >         are you running the command as 
    the same 
    >         user? 
    >         >         >         
    >         >         >         I.e. when running manually you 
    are running 
    >         as user 
    >         >         "root" I 
    >         >         >         suppose. 
    >         >         >         The command needs access to the 
    >         configuration file. 
    >         >         So if the 
    >         >         >         authorizedKeysCommand is run as 
    another 
    >         user, you 
    >         >         might fail. 
    >         >         >         
    >         >         >         How does your sshd_config look 
    like in 
    >         regards to 
    >         >         >         authorizedkeys? 
    >         >         >         
    >         >         >         Kind regards 
    >         >         >         Cornelius 
    >         >         >         
    >         >         >         Am Samstag, den 26.12.2015,  08:03 -0800  schrieb 
    >         >         >         arthur.s...@gmail.com: 
    >         >         >         > Hello! 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I am running into an issue 
    trying to 
    >         setup 
    >         >         PrivacyIdea for 
    >         >         >         our system. 
    >         >         >         > I am hoping to use this to 
    distribute 
    >         SSH keys to 
    >         >         our 
    >         >         >         servers from the 
    >         >         >         > one main PrivacyIdea server 
    for each of 
    >         our agents 
    >         >         that log 
    >         >         >         into 
    >         >         >         > different servers. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > So far I have installed the 
    Apache2 
    >         package on 
    >         >         Ubuntu 14.04, 
    >         >         >         added a 
    >         >         >         > realm and a token, and 
    attached that 
    >         token to a 
    >         >         specific 
    >         >         >         machine. The 
    >         >         >         > server is currently pointed 
    >         to /etc/passwd for the 
    >         >         users 
    >         >         >         list. I also 
    >         >         >         > have a machine resolver 
    pointed 
    >         >         to /etc/mysshhosts. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I have installed the admin 
    client on the 
    >         server I 
    >         >         am wanting 
    >         >         >         to SSH 
    >         >         >         > into. I have added the 
    [default] file 
    >         >         >         > 
    to /etc/privacyidea/authorizedkeys. I 
    >         have also 
    >         >         edited the 
    >         >         >         ssh_config 
    >         >         >         > file to add in the 
    authorizedkeyscommand 
    >         file and 
    >         >         user. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > From the client system when 
    running 
    >         >         >         "privacyidea-authorizedkeys 
    root", 
    >         >         >         > it successfully returns the 
    correct SSH 
    >         key from 
    >         >         the main 
    >         >         >         server. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > When I try to login from the 
    device with 
    >         said SSH 
    >         >         key, it 
    >         >         >         says the 
    >         >         >         > server refused the key and 
    prompts for 
    >         the 
    >         >         password. When 
    >         >         >         running SSHD 
    >         >         >         > in debug mode, I am getting 
    this error: 
    >         "error: 
    >         >         >         > 
    >         > 
    > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         root failed, 
    >         >         >         > status 5" 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I have tried to find what this 
    error 
    >         status 5 
    >         >         means but 
    >         >         >         cannot find 
    >         >         >         > any information. I can provide 
    more 
    >         information if 
    >         >         needed. I 
    >         >         >         have used 
    >         >         >         > various guides from 
    howtoforge, and 
    >         information 
    >         >         from the 
    >         >         >         PrivacyIdea 
    >         >         >         > documentation, as well as this 
    group, to 
    >         install 
    >         >         and 
    >         >         >         configure the 
    >         >         >         > software. There very well may 
    be 
    >         mistakes along 
    >         >         the way I 
    >         >         >         have made as 
    >         >         >         > I am still learning the 
    software. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Any help and guidance is 
    greatly 
    >         appreciated. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thanks! 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Arthur 
    >         >         >         > -- 
    >         >         >         > You received this message 
    because you 
    >         are 
    >         >         subscribed to the 
    >         >         >         Google 
    >         >         >         > Groups "privacyidea" group. 
    >         >         >         > To unsubscribe from this group 
    and stop 
    >         receiving 
    >         >         emails 
    >         >         >         from it, send 
    >         >         >         > an email to 
    >         privacyidea...@googlegroups.com. 
    >         >         >         > To post to this group, send 
    email to 
    >         >         >         priva...@googlegroups.com. 
    >         >         >         > To view this discussion on the 
    web 
    >         visit

cornelinux · December 29, 2015, 7:47pm

Hi Arthur,

oh, no I understand.
This is a warning from the urllib3 library, that an https request is
performed without verifying the certificate.

To bad. Hm, we know that we are doing nasty stuff. All this software
that tries to educate us…

Try to run it this way:

PYTHONWARNINGS=“ignore:Unverified HTTPS request” \
privacyidea-authorizedkeys root

Kind regards
Cornelius

arthur.schoenfeld@gmail.com:Am Dienstag, den 29.12.2015, 11:42 -0800 schrieb

Cornelius,

I tried with the --nosslcheck parameter at the command line, it gave
the same output results:

[root@satellite110 ~]# privacyidea-authorizedkeys --nosslcheck root

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: Advanced Usage - urllib3 2.1.0 documentation

InsecureRequestWarning)

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: Advanced Usage - urllib3 2.1.0 documentation

InsecureRequestWarning)

ssh-rss AAAAB3NzaC1yc2EAAAAB…XC6XT9k= iphone-rsa-key-20151225

I am thinking of wiping and reinstalling the client server, maybe I
installed incorrectly, or possibly disabling the warning message
entirely. Any thoughts or suggestions on this?

Thanks again for everything.

Arthur

On Tuesday, December 29, 2015 at 12:33:09 PM UTC-7, Cornelius Kölbel wrote:
Hm, maybe the nosslcheck parameter in the config file is
broken

    You can run at the commandline: 
    
    privacyidea-authorizedkeys --nosslcheck root 
    
    This should suppress the error message. 
    Just drop me a note, if it does. 
    
    Kind regards 
    Cornelius 
    
    Am Dienstag, den 29.12.2015, 11:21 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hi Cornelius, 
    > 
    > 
    > That makes sense about the log file. 
    > 
    > 
    > Just to clarify, for the nosslcheck = true option, is that
    added to 
    > the client's config file
    (/etc/privacyidea/authorizedkeyscommand), or 
    > to the SSH server, or both? 
    > 
    > 
    > I will work towards getting a certificate in place. I have
    actually 
    > had nosslcheck = true part of my client's config file from
    before I 
    > posted here, and it has always given that error message on
    the output. 
    > Would I need to disable the SSL warning instead, or should
    the 
    > nosslcheck prevent the warning from appearing? 
    > 
    > 
    > Here is my complete config file from the client 
    > (/etc/privacyidea/authorizedkeyscommand: 
    > 
    > 
    > [Default] 
    > 
    > url=https://<IP> 
    > 
    > admin=**** 
    > 
    > password=**** 
    > 
    > nosslcheck = True 
    > 
    > 
    > Thanks, 
    > 
    > 
    > Arthur 
    > 
    > 
    > On Tuesday, December 29, 2015 at 12:18:14 AM UTC-7, Cornelius Kölbel  wrote: 
    >         Hi Arthur, 
    >         
    >         the privacyidea.log only exists on the privacyidea
    server! 
    >         
    >         But the output of the command 
    >         
    >          privacyidea-authorizedkeys root 
    >         
    >         
    >         help. This command must only output the public ssh
    keys. 
    >         The urllib warning will confuse the SSH server. So
    we need to 
    >         avoid 
    >         these. 
    >         Either get a trusted SSL certificate to install on
    your 
    >         privacyIDEA 
    >         server (recommended solution to avoid MitM attacks) 
    >         
    >         For now, you can add --nosslcheck as parameter or
    add 
    >         
    >                 nosslcheck = True 
    >         
    >         to your config file. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Montag, den 28.12.2015, 21:43 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hi Cornelius, 
    >         > 
    >         > 
    >         > Here is the output from the
    'privacyidea-authorizedkeys 
    >         root' command: 
    >         > 
    >         > 
    >         > [root@satellite110 ~]# privacyidea-authorizedkeys
    root 
    >         > 
    >
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    >         > 
    >         >   InsecureRequestWarning) 
    >         > 
    >
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    >         > 
    >         >   InsecureRequestWarning) 
    >         > 
    >         > ssh-rss
    AAAAB3NzaC1yc2EAAAABJQAA.....3OfrrRj4/+O8XC6XT9k= 
    >         > iphone-rsa-key-20151225 
    >         > 
    >         > 
    >         > I figured the HTTPS error wasn't an issue and that
    it should 
    >         still 
    >         > work from what I read at the security.html it
    recommends 
    >         reading, but 
    >         > I may have read it wrong. 
    >         > 
    >         > 
    >         > Here is the log file from the SSH server: 
    >         > 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188] 
    >         > user u'root' found in resolver u'deflocal' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189] 
    >         > userid resolved to '0' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188] 
    >         > user u'root' found in resolver u'deflocal' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189] 
    >         > userid resolved to '0' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >
    00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         > 
    >         > 
    >         > Unfortunately I still don't 
    >         have /var/log/privacyidea/privacyidea.log 
    >         > file on the client machine that I am trying to SSH
    into. I 
    >         did add a 
    >         > file there manually hoping it would maybe use it
    after 
    >         running the 
    >         > 'privacyidea-authorizedkeys root' command, but the
    file is 
    >         empty. 
    >         > 
    >         > 
    >         > I also edited the client's config file located 
    >         > in /etc/privacyidea/authorizedkeys and added these
    lines: 
    >         > 
    >         > 
    >         > PI_LOGFILE =
    "/var/log/privacyidea/privacyidea.log" 
    >         > 
    >         > PI_LOGLEVEL = 10 
    >         > 
    >         > 
    >         > I also added those same lines 
    >         to /usr/bin/privacyidea-authorizedkeys 
    >         > and changed DEBUG to true: 
    >         > 
    >         > 
    >         > VERSION = '2.4' 
    >         > 
    >         > DEBUG = True 
    >         > 
    >         > DESCRIPTION = __doc__ 
    >         > 
    >         > DEFAULT_CONFIG =
    "/etc/privacyidea/authorizedkeyscommand" 
    >         > 
    >         > PI_LOGLEVEL = 10 
    >         > 
    >         > PI_LOGFILE =
    "/var/log/privacyidea/privacyidea.log" 
    >         > 
    >         > 
    >         > Even with all the I'm still not seeing a log file
    anywhere 
    >         on the 
    >         > client machine. I must be doing something wrong if
    it isn't 
    >         generating 
    >         > one for us. 
    >         > 
    >         > 
    >         > I hope I am not tiring you, I apologize for my
    ignorance 
    >         with this. 
    >         > The missing log file is perplexing me. Thank you
    so much for 
    >         your time 
    >         > and help with this. 
    >         > 
    >         > 
    >         > Thanks, 
    >         > 
    >         > 
    >         > Arthur 
    >         > 
    >         > 
    >         > On Monday, December 28, 2015 at 2:15:30 AM UTC-7, Cornelius  Kölbel  wrote: 
    >         >         Hi Arthur, 
    >         >         
    >         >         you do not need the privacyidea server
    software on 
    >         the client 
    >         >         (which in 
    >         >         this case is your SSH server). 
    >         >         
    >         >         On the client side you only need 
    >         privacyidea-authorizedkeys. 
    >         >         This script is located in the module 
    >         privacyideaadm. 
    >         >         
    >         >         You only need one config file: 
    >         > 
    >
    https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35 
    >         >         
    >         >         This should do it. 
    >         >         
    >         >         As you can run the command from the
    command line 
    >         successfully, 
    >         >         it seems 
    >         >         fine. 
    >         >         
    >         >         Can you please send the very detailed
    output/stdout 
    >         of the 
    >         >         command 
    >         >         
    >         >                 privacyidea-authorizedkeys root 
    >         >         
    >         >         (I want to make sure, that there is no
    other 
    >         disturbing 
    >         >         output) 
    >         >         
    >         >         and send
    the /var/log/privacyidea/privacyidea.log 
    >         file from 
    >         >         the event, 
    >         >         when tryping to ssh into the ssh server? 
    >         >         
    >         >         Thanks a lot 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         Am Sonntag, den 27.12.2015, 09:30 -0800 schrieb 
    >         >         arthur.s...@gmail.com: 
    >         >         > Hi Cornelius, 
    >         >         > 
    >         >         > 
    >         >         > I have the log and config file on the
    PrivacyIdea 
    >         SSH 
    >         >         server, but on 
    >         >         > the client that I am trying to SSH into
    (the one 
    >         giving the 
    >         >         status 5 
    >         >         > error), I don't have either file. 
    >         >         > 
    >         >         > 
    >         >         > On the client I ran this command to
    install the 
    >         PrivacyIdea 
    >         >         admin 
    >         >         > client: 
    >         >         > 
    >         >         > 
    >         >         > pip install privacyideaadm 
    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > I used this guide when I installed
    that: 
    >         >         > 
    >         >         > 
    >         >         > 
    >         > 
    >
    https://www.howtoforge.com/tutorial/ssh-key-management-with-privacyidea/ 
    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > Do I need to install the full
    PrivacyIdea software 
    >         on the 
    >         >         client as 
    >         >         > well, or can I just define the config
    file 
    >         according to the 
    >         >         > documentation with the admin client? Or
    is the 
    >         config file 
    >         >         for the 
    >         >         > admin client located somewhere I'm not
    looking? 
    >         I've looked 
    >         >         in the 
    >         >         > three places the documentation stated
    that you 
    >         linked. 
    >         >         > 
    >         >         > 
    >         >         > Thank you so much for all your help, I
    really 
    >         appreciate 
    >         >         it. 
    >         >         > 
    >         >         > 
    >         >         > Thanks, 
    >         >         > 
    >         >         > 
    >         >         > Arthur 
    >         >         > 
    >         >         > On Sunday, December 27, 2015 at 1:16:06 AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         >         Hallo Arthur, 
    >         >         >         
    >         >         >         can you please take a look into
    the 
    >         privacyidea.log, 
    >         >         which is 
    >         >         >         usually 
    >         >         >         located
    at /var/log/privacyidea/. 
    >         >         >         
    >         >         >         In the moment of authentication,
    when sshd 
    >         calls 
    >         >         >         "privacyidea-authorizedkeys",
    this might 
    >         give us a 
    >         >         clue, what 
    >         >         >         happens in 
    >         >         >         this moment. 
    >         >         >         If needed please increase the
    log level 
    >         >         > 
    >         > 
    >
    http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html 
    >         >         >         
    >         >         >         Kind regards 
    >         >         >         Cornelius 
    >         >         >         
    >         >         >         Am Samstag, den 26.12.2015, 09:22 -0800  schrieb 
    >         >         >         arthur.s...@gmail.com: 
    >         >         >         > Hi Cornelius, 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thanks for the quick reply! 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Here is a snippet of my
    sshd_config file 
    >         in 
    >         >         regards to 
    >         >         >         authorizedkeys. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > # The default is to check 
    >         >         both .ssh/authorized_keys 
    >         >         >         > and .ssh/authorized_keys2 
    >         >         >         > 
    >         >         >         > # but this is overridden so 
    >         installations will 
    >         >         only 
    >         >         >         > check .ssh/authorized_keys 
    >         >         >         > 
    >         >         >         >
    AuthorizedKeysFile .ssh/authorized_keys 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > #AuthorizedPrincipalsFile
    none 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         > 
    >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         > 
    >         >         >         > AuthorizedKeysCommandUser
    root 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I am running the command as
    root, both 
    >         when 
    >         >         manually 
    >         >         >         checking and when 
    >         >         >         > connecting. The user that the
    token is 
    >         attached to 
    >         >         on the 
    >         >         >         PrivacyIdea 
    >         >         >         > server side is also root. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thanks! 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Arthur 
    >         >         >         > 
    >         >         >         > On Saturday, December 26, 2015 at  10:14:39 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         >         >         Hello Arthur, 
    >         >         >         >         
    >         >         >         >         are you running the
    command as 
    >         the same 
    >         >         user? 
    >         >         >         >         
    >         >         >         >         I.e. when running
    manually you 
    >         are running 
    >         >         as user 
    >         >         >         "root" I 
    >         >         >         >         suppose. 
    >         >         >         >         The command needs
    access to the 
    >         >         configuration file. 
    >         >         >         So if the 
    >         >         >         >         authorizedKeysCommand
    is run as 
    >         another 
    >         >         user, you 
    >         >         >         might fail. 
    >         >         >         >         
    >         >         >         >         How does your
    sshd_config look 
    >         like in 
    >         >         regards to 
    >         >         >         >         authorizedkeys? 
    >         >         >         >         
    >         >         >         >         Kind regards 
    >         >         >         >         Cornelius 
    >         >         >         >         
    >         >         >         >         Am Samstag, den 26.12.2015,  08:03 -0800  schrieb 
    >         >         >         >
    arthur.s...@gmail.com: 
    >         >         >         >         > Hello! 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > I am running into an
    issue 
    >         trying to 
    >         >         setup 
    >         >         >         PrivacyIdea for 
    >         >         >         >         our system. 
    >         >         >         >         > I am hoping to use
    this to 
    >         distribute 
    >         >         SSH keys to 
    >         >         >         our 
    >         >         >         >         servers from the 
    >         >         >         >         > one main PrivacyIdea
    server 
    >         for each of 
    >         >         our agents 
    >         >         >         that log 
    >         >         >         >         into 
    >         >         >         >         > different servers. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > So far I have
    installed the 
    >         Apache2 
    >         >         package on 
    >         >         >         Ubuntu 14.04, 
    >         >         >         >         added a 
    >         >         >         >         > realm and a token,
    and 
    >         attached that 
    >         >         token to a 
    >         >         >         specific 
    >         >         >         >         machine. The 
    >         >         >         >         > server is currently
    pointed 
    >         >         to /etc/passwd for the 
    >         >         >         users 
    >         >         >         >         list. I also 
    >         >         >         >         > have a machine
    resolver 
    >         pointed 
    >         >         >         to /etc/mysshhosts. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > I have installed the
    admin 
    >         client on the 
    >         >         server I 
    >         >         >         am wanting 
    >         >         >         >         to SSH 
    >         >         >         >         > into. I have added
    the 
    >         [default] file 
    >         >         >         >         > 
    >         to /etc/privacyidea/authorizedkeys. I 
    >         >         have also 
    >         >         >         edited the 
    >         >         >         >         ssh_config 
    >         >         >         >         > file to add in the 
    >         authorizedkeyscommand 
    >         >         file and 
    >         >         >         user. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > From the client
    system when 
    >         running 
    >         >         >         >
    "privacyidea-authorizedkeys 
    >         root", 
    >         >         >         >         > it successfully
    returns the 
    >         correct SSH 
    >         >         key from 
    >         >         >         the main 
    >         >         >         >         server. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > When I try to login
    from the 
    >         device with 
    >         >         said SSH 
    >         >         >         key, it 
    >         >         >         >         says the 
    >         >         >         >         > server refused the
    key and 
    >         prompts for 
    >         >         the 
    >         >         >         password. When 
    >         >         >         >         running SSHD 
    >         >         >         >         > in debug mode, I am
    getting 
    >         this error: 
    >         >         "error: 
    >         >         >         >         > 
    >         >         > 
    >         > 
    >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         >         root failed, 
    >         >         >         >         > status 5" 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > I have tried to find
    what this 
    >         error 
    >         >         status 5 
    >         >         >         means but 
    >         >         >         >         cannot find 
    >         >         >         >         > any information. I
    can provide 
    >         more 
    >         >         information if 
    >         >         >         needed. I 
    >         >         >         >         have used 
    >         >         >         >         > various guides from 
    >         howtoforge, and 
    >         >         information 
    >         >         >         from the 
    >         >         >         >         PrivacyIdea 
    >         >         >         >         > documentation, as
    well as this 
    >         group, to 
    >         >         install 
    >         >         >         and 
    >         >         >         >         configure the 
    >         >         >         >         > software. There very
    well may 
    >         be 
    >         >         mistakes along 
    >         >         >         the way I 
    >         >         >         >         have made as 
    >         >         >         >         > I am still learning
    the 
    >         software. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Any help and
    guidance is 
    >         greatly 
    >         >         appreciated. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Thanks! 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Arthur 
    >         >         >         >         > -- 
    >         >         >         >         > You received this
    message 
    >         because you 
    >         >         are 
    >         >         >         subscribed to the 
    >         >         >         >         Google 
    >         >         >         >         > Groups "privacyidea"
    group. 
    >         >         >         >         > To unsubscribe from
    this group 
    >         and stop 
    >         >         receiving 
    >         >         >         emails 
    >         >         >         >         from it, send 
    >         >         >         >         > an email to 
    >         >         privacyidea...@googlegroups.com. 
    >         >         >         >         > To post to this
    group, send 
    >         email to 
    >         >         >         >
    priva...@googlegroups.com. 
    >         >         >         >         > To view this
    discussion on the 
    >         web 
    >         >         visit 
    >         >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com. 
    >         >         >         >         > For more options,
    visit 
    >         >         >
    https://groups.google.com/d/optout. 
    >         >         >         >         
    >         >         >         >         -- 
    >         >         >         >         Cornelius Kölbel 
    >         >         >         >
    corneliu...@netknights.it 
    >         >         >         >         +49 151 2960 1417 
    >         >         >         >         
    >         >         >         >         NetKnights GmbH 
    >         >         >         >
    http://www.netknights.it 
    >         >         >         >         Landgraf-Karl-Str. 19,
    34131 
    >         Kassel, 
    >         >         Germany 
    >         >         >         >         Tel: +49 561 3166797,
    Fax: +49 
    >         561 
    >         >         3166798 
    >         >         >         >         
    >         >         >         >         Amtsgericht Kassel,
    HRB 16405 
    >         >         >         >         Geschäftsführer:
    Cornelius 
    >         Kölbel 
    >         >         >         >         
    >         >         >         >         
    >         >         >         > -- 
    >         >         >         > You received this message
    because you 
    >         are 
    >         >         subscribed to the 
    >         >         >         Google 
    >         >         >         > Groups "privacyidea" group. 
    >         >         >         > To unsubscribe from this group
    and stop 
    >         receiving 
    >         >         emails 
    >         >         >         from it, send 
    >         >         >         > an email to 
    >         privacyidea...@googlegroups.com. 
    >         >         >         > To post to this group, send
    email to 
    >         >         >         priva...@googlegroups.com. 
    >         >         >         > To view this discussion on the
    web 
    >         visit 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com. 
    >         >         >         > For more options, visit 
    >         >         https://groups.google.com/d/optout. 
    >         >         >         
    >         >         >         -- 
    >         >         >         Cornelius Kölbel 
    >         >         >         corneliu...@netknights.it 
    >         >         >         +49 151 2960 1417 
    >         >         >         
    >         >         >         NetKnights GmbH 
    >         >         >         http://www.netknights.it 
    >         >         >         Landgraf-Karl-Str. 19, 34131
    Kassel, 
    >         Germany 
    >         >         >         Tel: +49 561 3166797, Fax: +49
    561 
    >         3166798 
    >         >         >         
    >         >         >         Amtsgericht Kassel, HRB 16405 
    >         >         >         Geschäftsführer: Cornelius
    Kölbel 
    >         >         >         
    >         >         >         
    >         >         > -- 
    >         >         > You received this message because you
    are 
    >         subscribed to the 
    >         >         Google 
    >         >         > Groups "privacyidea" group. 
    >         >         > To unsubscribe from this group and stop
    receiving 
    >         emails 
    >         >         from it, send 
    >         >         > an email to
    privacyidea...@googlegroups.com. 
    >         >         > To post to this group, send email to 
    >         >         priva...@googlegroups.com. 
    >         >         > To view this discussion on the web
    visit 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/70d9e885-5ba9-4718-886d-eebe71587085%40googlegroups.com. 
    >         >         > For more options, visit 
    >         https://groups.google.com/d/optout. 
    >         >         
    >         >         -- 
    >         >         Cornelius Kölbel 
    >         >         corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://www.netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         > -- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/731b0af5-1bde-45b4-b777-69400c7517f8%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/5ed90dcf-d0ee-455a-bc2d-f957e4bb9d4e%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/139a1275-3742-49cf-880c-a24b1b1f69a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

arthur.schoenfeld · December 29, 2015, 5:43am

Hi Cornelius,

Here is the output from the ‘privacyidea-authorizedkeys root’ command:

[root@satellite110 ~]# privacyidea-authorizedkeys root

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:

InsecureRequestWarning)

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:

InsecureRequestWarning)

ssh-rss AAAAB3NzaC1yc2EAAAABJQAA…3OfrrRj4/+O8XC6XT9k=
iphone-rsa-key-20151225

I figured the HTTPS error wasn’t an issue and that it should still work
from what I read at the security.html it recommends reading, but I may have
read it wrong.

Here is the log file from the SSH server:

[2015-12-29
00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188] user
u’root’ found in resolver u’deflocal’

[2015-12-29
00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189]
userid resolved to ‘0’

[2015-12-29
00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188] user
u’root’ found in resolver u’deflocal’

[2015-12-29
00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189]
userid resolved to ‘0’

[2015-12-29
00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29 00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

Unfortunately I still don’t have /var/log/privacyidea/privacyidea.log file
on the client machine that I am trying to SSH into. I did add a file there
manually hoping it would maybe use it after running the
‘privacyidea-authorizedkeys root’ command, but the file is empty.

I also edited the client’s config file located in
/etc/privacyidea/authorizedkeys and added these lines:

PI_LOGFILE = “/var/log/privacyidea/privacyidea.log”

PI_LOGLEVEL = 10

I also added those same lines to /usr/bin/privacyidea-authorizedkeys and
changed DEBUG to true:

VERSION = ‘2.4’

DEBUG = True

DESCRIPTION = doc

DEFAULT_CONFIG = “/etc/privacyidea/authorizedkeyscommand”

PI_LOGLEVEL = 10

PI_LOGFILE = “/var/log/privacyidea/privacyidea.log”

Even with all the I’m still not seeing a log file anywhere on the client
machine. I must be doing something wrong if it isn’t generating one for us.

I hope I am not tiring you, I apologize for my ignorance with this. The
missing log file is perplexing me. Thank you so much for your time and help
with this.

Thanks,

ArthurOn Monday, December 28, 2015 at 2:15:30 AM UTC-7, Cornelius Kölbel wrote:

Hi Arthur,

you do not need the privacyidea server software on the client (which in
this case is your SSH server).

On the client side you only need privacyidea-authorizedkeys.
This script is located in the module privacyideaadm.

You only need one config file:

https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35

This should do it.

As you can run the command from the command line successfully, it seems
fine.

Can you please send the very detailed output/stdout of the command

    privacyidea-authorizedkeys root

(I want to make sure, that there is no other disturbing output)

and send the /var/log/privacyidea/privacyidea.log file from the event,
when tryping to ssh into the ssh server?

Thanks a lot
Cornelius

Am Sonntag, den 27.12.2015, 09:30 -0800 schrieb
arthur.s...@gmail.com <javascript:>:

Hi Cornelius,

I have the log and config file on the PrivacyIdea SSH server, but on
the client that I am trying to SSH into (the one giving the status 5
error), I don’t have either file.

On the client I ran this command to install the PrivacyIdea admin
client:

pip install privacyideaadm

I used this guide when I installed that:

SSH Key Management with privacyIDEA

Do I need to install the full PrivacyIdea software on the client as
well, or can I just define the config file according to the
documentation with the admin client? Or is the config file for the
admin client located somewhere I’m not looking? I’ve looked in the
three places the documentation stated that you linked.

Thank you so much for all your help, I really appreciate it.

Thanks,

Arthur

On Sunday, December 27, 2015 at 1:16:06 AM UTC-7, Cornelius Kölbel wrote:
Hallo Arthur,
    can you please take a look into the privacyidea.log, which is 
    usually 
    located at /var/log/privacyidea/. 
    
    In the moment of authentication, when sshd calls 
    "privacyidea-authorizedkeys", this might give us a clue, what 
    happens in 
    this moment. 
    If needed please increase the log level 

2.6. Debugging and Logging — privacyIDEA 3.8 documentation

    Kind regards 
    Cornelius 
    
    Am Samstag, den 26.12.2015, 09:22 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hi Cornelius, 
    > 
    > 
    > Thanks for the quick reply! 
    > 
    > 
    > Here is a snippet of my sshd_config file in regards to 
    authorizedkeys. 
    > 
    > 
    > # The default is to check both .ssh/authorized_keys 
    > and .ssh/authorized_keys2 
    > 
    > # but this is overridden so installations will only 
    > check .ssh/authorized_keys 
    > 
    > AuthorizedKeysFile .ssh/authorized_keys 
    > 
    > 
    > #AuthorizedPrincipalsFile none 
    > 
    > 
    > AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    > 
    > AuthorizedKeysCommandUser root 
    > 
    > 
    > 
    > 
    > I am running the command as root, both when manually 
    checking and when 
    > connecting. The user that the token is attached to on the 
    PrivacyIdea 
    > server side is also root. 
    > 
    > 
    > Thanks! 
    > 
    > 
    > Arthur 
    > 
    > On Saturday, December 26, 2015 at 10:14:39 AM UTC-7,  Cornelius Kölbel  wrote: 
    >         Hello Arthur, 
    >         
    >         are you running the command as the same user? 
    >         
    >         I.e. when running manually you are running as user 
    "root" I 
    >         suppose. 
    >         The command needs access to the configuration file. 
    So if the 
    >         authorizedKeysCommand is run as another user, you 
    might fail. 
    >         
    >         How does your sshd_config look like in regards to 
    >         authorizedkeys? 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Samstag, den 26.12.2015, 08:03 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hello! 
    >         > 
    >         > 
    >         > I am running into an issue trying to setup 
    PrivacyIdea for 
    >         our system. 
    >         > I am hoping to use this to distribute SSH keys to 
    our 
    >         servers from the 
    >         > one main PrivacyIdea server for each of our agents 
    that log 
    >         into 
    >         > different servers. 
    >         > 
    >         > 
    >         > So far I have installed the Apache2 package on 
    Ubuntu 14.04, 
    >         added a 
    >         > realm and a token, and attached that token to a 
    specific 
    >         machine. The 
    >         > server is currently pointed to /etc/passwd for the 
    users 
    >         list. I also 
    >         > have a machine resolver pointed 
    to /etc/mysshhosts. 
    >         > 
    >         > 
    >         > I have installed the admin client on the server I 
    am wanting 
    >         to SSH 
    >         > into. I have added the [default] file 
    >         > to /etc/privacyidea/authorizedkeys. I have also 
    edited the 
    >         ssh_config 
    >         > file to add in the authorizedkeyscommand file and 
    user. 
    >         > 
    >         > 
    >         > From the client system when running 
    >         "privacyidea-authorizedkeys root", 
    >         > it successfully returns the correct SSH key from 
    the main 
    >         server. 
    >         > 
    >         > 
    >         > When I try to login from the device with said SSH 
    key, it 
    >         says the 
    >         > server refused the key and prompts for the 
    password. When 
    >         running SSHD 
    >         > in debug mode, I am getting this error: "error: 
    >         > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         root failed, 
    >         > status 5" 
    >         > 
    >         > 
    >         > I have tried to find what this error status 5 
    means but 
    >         cannot find 
    >         > any information. I can provide more information if 
    needed. I 
    >         have used 
    >         > various guides from howtoforge, and information 
    from the 
    >         PrivacyIdea 
    >         > documentation, as well as this group, to install 
    and 
    >         configure the 
    >         > software. There very well may be mistakes along 
    the way I 
    >         have made as 
    >         > I am still learning the software. 
    >         > 
    >         > 
    >         > Any help and guidance is greatly appreciated. 
    >         > 
    >         > 
    >         > Thanks! 
    >         > 
    >         > 
    >         > Arthur 
    >         > -- 
    >         > You received this message because you are 
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving 
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >

https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com.

    >         > For more options, visit 
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >

https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/70d9e885-5ba9-4718-886d-eebe71587085%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

arthur.schoenfeld · December 29, 2015, 7:55pm

Cornelius,

I ran it as you said, and the error messages are gone, and only the key was
returned.

[root@satellite110 ~]# PYTHONWARNINGS=“ignore:Unverified HTTPS request” \

privacyidea-authorizedkeys root

ssh-rss AAAAB3Nz…gq3OfrrRj4/+O8XC6XT9k= iphone-rsa-key-20151225

[root@satellite110 ~]#

I have a surface level knowledge of this and am trying to learn and
understand, but I’m not sure if I should disable that or just learn how to
implement a certificate on the server. If a cert is the right way to go I
can do that. If the status 5 error I was originally was getting was just
due to the client passing the SSH server the key, plus the junk from the
warnings, that would make sense why it rejects the key, since it’s not the
key, it’s the key + warning message garbage - I hope I understand that
properly, if not let me know.

Is there a way to permanently disable this or get it working for now
without the SSL?

Thanks,

ArthurOn Tuesday, December 29, 2015 at 12:47:45 PM UTC-7, Cornelius Kölbel wrote:

Hi Arthur,

oh, no I understand.
This is a warning from the urllib3 library, that an https request is
performed without verifying the certificate.

To bad. Hm, we know that we are doing nasty stuff. All this software
that tries to educate us…

Try to run it this way:

PYTHONWARNINGS=“ignore:Unverified HTTPS request” \
privacyidea-authorizedkeys root

Kind regards
Cornelius

Am Dienstag, den 29.12.2015, 11:42 -0800 schrieb
arthur.s...@gmail.com <javascript:>:

Cornelius,

I tried with the --nosslcheck parameter at the command line, it gave
the same output results:

[root@satellite110 ~]# privacyidea-authorizedkeys --nosslcheck root

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

InsecureRequestWarning)

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

InsecureRequestWarning)

ssh-rss AAAAB3NzaC1yc2EAAAAB…XC6XT9k= iphone-rsa-key-20151225

I am thinking of wiping and reinstalling the client server, maybe I
installed incorrectly, or possibly disabling the warning message
entirely. Any thoughts or suggestions on this?

Thanks again for everything.

Arthur

On Tuesday, December 29, 2015 at 12:33:09 PM UTC-7, Cornelius Kölbel wrote:
Hm, maybe the nosslcheck parameter in the config file is
broken

    You can run at the commandline: 
    
    privacyidea-authorizedkeys --nosslcheck root 
    
    This should suppress the error message. 
    Just drop me a note, if it does. 
    
    Kind regards 
    Cornelius 
    
    Am Dienstag, den 29.12.2015, 11:21 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hi Cornelius, 
    > 
    > 
    > That makes sense about the log file. 
    > 
    > 
    > Just to clarify, for the nosslcheck = true option, is that 
    added to 
    > the client's config file 
    (/etc/privacyidea/authorizedkeyscommand), or 
    > to the SSH server, or both? 
    > 
    > 
    > I will work towards getting a certificate in place. I have 
    actually 
    > had nosslcheck = true part of my client's config file from 
    before I 
    > posted here, and it has always given that error message on 
    the output. 
    > Would I need to disable the SSL warning instead, or should 
    the 
    > nosslcheck prevent the warning from appearing? 
    > 
    > 
    > Here is my complete config file from the client 
    > (/etc/privacyidea/authorizedkeyscommand: 
    > 
    > 
    > [Default] 
    > 
    > url=https://<IP> 
    > 
    > admin=**** 
    > 
    > password=**** 
    > 
    > nosslcheck = True 
    > 
    > 
    > Thanks, 
    > 
    > 
    > Arthur 
    > 
    > 
    > On Tuesday, December 29, 2015 at 12:18:14 AM UTC-7,  Cornelius Kölbel  wrote: 
    >         Hi Arthur, 
    >         
    >         the privacyidea.log only exists on the privacyidea 
    server! 
    >         
    >         But the output of the command 
    >         
    >          privacyidea-authorizedkeys root 
    >         
    >         
    >         help. This command must only output the public ssh 
    keys. 
    >         The urllib warning will confuse the SSH server. So 
    we need to 
    >         avoid 
    >         these. 
    >         Either get a trusted SSL certificate to install on 
    your 
    >         privacyIDEA 
    >         server (recommended solution to avoid MitM attacks) 
    >         
    >         For now, you can add --nosslcheck as parameter or 
    add 
    >         
    >                 nosslcheck = True 
    >         
    >         to your config file. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Montag, den 28.12.2015, 21:43 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hi Cornelius, 
    >         > 
    >         > 
    >         > Here is the output from the 
    'privacyidea-authorizedkeys 
    >         root' command: 
    >         > 
    >         > 
    >         > [root@satellite110 ~]# privacyidea-authorizedkeys 
    root 
    >         > 
    > 
    >

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

    >         > 
    >         >   InsecureRequestWarning) 
    >         > 
    > 
    >

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

    >         > 
    >         >   InsecureRequestWarning) 
    >         > 
    >         > ssh-rss 
    AAAAB3NzaC1yc2EAAAABJQAA.....3OfrrRj4/+O8XC6XT9k= 
    >         > iphone-rsa-key-20151225 
    >         > 
    >         > 
    >         > I figured the HTTPS error wasn't an issue and that 
    it should 
    >         still 
    >         > work from what I read at the security.html it 
    recommends 
    >         reading, but 
    >         > I may have read it wrong. 
    >         > 
    >         > 
    >         > Here is the log file from the SSH server: 
    >         > 
    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188]

    >         > user u'root' found in resolver u'deflocal' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189]

    >         > userid resolved to '0' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188]

    >         > user u'root' found in resolver u'deflocal' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189]

    >         > userid resolved to '0' 
    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         > 
    >         > [2015-12-29 
    >         > 
    >

00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         > 
    >         > 
    >         > Unfortunately I still don't 
    >         have /var/log/privacyidea/privacyidea.log 
    >         > file on the client machine that I am trying to SSH 
    into. I 
    >         did add a 
    >         > file there manually hoping it would maybe use it 
    after 
    >         running the 
    >         > 'privacyidea-authorizedkeys root' command, but the 
    file is 
    >         empty. 
    >         > 
    >         > 
    >         > I also edited the client's config file located 
    >         > in /etc/privacyidea/authorizedkeys and added these 
    lines: 
    >         > 
    >         > 
    >         > PI_LOGFILE = 
    "/var/log/privacyidea/privacyidea.log" 
    >         > 
    >         > PI_LOGLEVEL = 10 
    >         > 
    >         > 
    >         > I also added those same lines 
    >         to /usr/bin/privacyidea-authorizedkeys 
    >         > and changed DEBUG to true: 
    >         > 
    >         > 
    >         > VERSION = '2.4' 
    >         > 
    >         > DEBUG = True 
    >         > 
    >         > DESCRIPTION = __doc__ 
    >         > 
    >         > DEFAULT_CONFIG = 
    "/etc/privacyidea/authorizedkeyscommand" 
    >         > 
    >         > PI_LOGLEVEL = 10 
    >         > 
    >         > PI_LOGFILE = 
    "/var/log/privacyidea/privacyidea.log" 
    >         > 
    >         > 
    >         > Even with all the I'm still not seeing a log file 
    anywhere 
    >         on the 
    >         > client machine. I must be doing something wrong if 
    it isn't 
    >         generating 
    >         > one for us. 
    >         > 
    >         > 
    >         > I hope I am not tiring you, I apologize for my 
    ignorance 
    >         with this. 
    >         > The missing log file is perplexing me. Thank you 
    so much for 
    >         your time 
    >         > and help with this. 
    >         > 
    >         > 
    >         > Thanks, 
    >         > 
    >         > 
    >         > Arthur 
    >         > 
    >         > 
    >         > On Monday, December 28, 2015 at 2:15:30 AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         Hi Arthur, 
    >         >         
    >         >         you do not need the privacyidea server 
    software on 
    >         the client 
    >         >         (which in 
    >         >         this case is your SSH server). 
    >         >         
    >         >         On the client side you only need 
    >         privacyidea-authorizedkeys. 
    >         >         This script is located in the module 
    >         privacyideaadm. 
    >         >         
    >         >         You only need one config file: 
    >         > 
    >

https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35

    >         >         
    >         >         This should do it. 
    >         >         
    >         >         As you can run the command from the 
    command line 
    >         successfully, 
    >         >         it seems 
    >         >         fine. 
    >         >         
    >         >         Can you please send the very detailed 
    output/stdout 
    >         of the 
    >         >         command 
    >         >         
    >         >                 privacyidea-authorizedkeys root 
    >         >         
    >         >         (I want to make sure, that there is no 
    other 
    >         disturbing 
    >         >         output) 
    >         >         
    >         >         and send 
    the /var/log/privacyidea/privacyidea.log 
    >         file from 
    >         >         the event, 
    >         >         when tryping to ssh into the ssh server? 
    >         >         
    >         >         Thanks a lot 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         Am Sonntag, den 27.12.2015, 09:30 -0800  schrieb 
    >         >         arthur.s...@gmail.com: 
    >         >         > Hi Cornelius, 
    >         >         > 
    >         >         > 
    >         >         > I have the log and config file on the 
    PrivacyIdea 
    >         SSH 
    >         >         server, but on 
    >         >         > the client that I am trying to SSH into 
    (the one 
    >         giving the 
    >         >         status 5 
    >         >         > error), I don't have either file. 
    >         >         > 
    >         >         > 
    >         >         > On the client I ran this command to 
    install the 
    >         PrivacyIdea 
    >         >         admin 
    >         >         > client: 
    >         >         > 
    >         >         > 
    >         >         > pip install privacyideaadm 
    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > I used this guide when I installed 
    that: 
    >         >         > 
    >         >         > 
    >         >         > 
    >         > 
    >

SSH Key Management with privacyIDEA

    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > Do I need to install the full 
    PrivacyIdea software 
    >         on the 
    >         >         client as 
    >         >         > well, or can I just define the config 
    file 
    >         according to the 
    >         >         > documentation with the admin client? Or 
    is the 
    >         config file 
    >         >         for the 
    >         >         > admin client located somewhere I'm not 
    looking? 
    >         I've looked 
    >         >         in the 
    >         >         > three places the documentation stated 
    that you 
    >         linked. 
    >         >         > 
    >         >         > 
    >         >         > Thank you so much for all your help, I 
    really 
    >         appreciate 
    >         >         it. 
    >         >         > 
    >         >         > 
    >         >         > Thanks, 
    >         >         > 
    >         >         > 
    >         >         > Arthur 
    >         >         > 
    >         >         > On Sunday, December 27, 2015 at 1:16:06  AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         >         Hallo Arthur, 
    >         >         >         
    >         >         >         can you please take a look into 
    the 
    >         privacyidea.log, 
    >         >         which is 
    >         >         >         usually 
    >         >         >         located 
    at /var/log/privacyidea/. 
    >         >         >         
    >         >         >         In the moment of authentication, 
    when sshd 
    >         calls 
    >         >         >         "privacyidea-authorizedkeys", 
    this might 
    >         give us a 
    >         >         clue, what 
    >         >         >         happens in 
    >         >         >         this moment. 
    >         >         >         If needed please increase the 
    log level 
    >         >         > 
    >         > 
    >

2.6. Debugging and Logging — privacyIDEA 3.8 documentation

    >         >         >         
    >         >         >         Kind regards 
    >         >         >         Cornelius 
    >         >         >         
    >         >         >         Am Samstag, den 26.12.2015,  09:22 -0800  schrieb 
    >         >         >         arthur.s...@gmail.com: 
    >         >         >         > Hi Cornelius, 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thanks for the quick reply! 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Here is a snippet of my 
    sshd_config file 
    >         in 
    >         >         regards to 
    >         >         >         authorizedkeys. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > # The default is to check 
    >         >         both .ssh/authorized_keys 
    >         >         >         > and .ssh/authorized_keys2 
    >         >         >         > 
    >         >         >         > # but this is overridden so 
    >         installations will 
    >         >         only 
    >         >         >         > check .ssh/authorized_keys 
    >         >         >         > 
    >         >         >         > 
    AuthorizedKeysFile .ssh/authorized_keys 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > #AuthorizedPrincipalsFile 
    none 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         > 
    > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         > 
    >         >         >         > AuthorizedKeysCommandUser 
    root 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I am running the command as 
    root, both 
    >         when 
    >         >         manually 
    >         >         >         checking and when 
    >         >         >         > connecting. The user that the 
    token is 
    >         attached to 
    >         >         on the 
    >         >         >         PrivacyIdea 
    >         >         >         > server side is also root. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thanks! 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Arthur 
    >         >         >         > 
    >         >         >         > On Saturday, December 26, 2015  at  10:14:39 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         >         >         Hello Arthur, 
    >         >         >         >         
    >         >         >         >         are you running the 
    command as 
    >         the same 
    >         >         user? 
    >         >         >         >         
    >         >         >         >         I.e. when running 
    manually you 
    >         are running 
    >         >         as user 
    >         >         >         "root" I 
    >         >         >         >         suppose. 
    >         >         >         >         The command needs 
    access to the 
    >         >         configuration file. 
    >         >         >         So if the 
    >         >         >         >         authorizedKeysCommand 
    is run as 
    >         another 
    >         >         user, you 
    >         >         >         might fail. 
    >         >         >         >         
    >         >         >         >         How does your 
    sshd_config look 
    >         like in 
    >         >         regards to 
    >         >         >         >         authorizedkeys? 
    >         >         >         >         
    >         >         >         >         Kind regards 
    >         >         >         >         Cornelius 
    >         >         >         >         
    >         >         >         >         Am Samstag, den  26.12.2015,  08:03 -0800  schrieb 
    >         >         >         > 
    arthur.s...@gmail.com: 
    >         >         >         >         > Hello! 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > I am running into an 
    issue 
    >         trying to 
    >         >         setup 
    >         >         >         PrivacyIdea for 
    >         >         >         >         our system. 
    >         >         >         >         > I am hoping to use 
    this to 
    >         distribute 
    >         >         SSH keys to 
    >         >         >         our 
    >         >         >         >         servers from the 
    >         >         >         >         > one main PrivacyIdea 
    server 
    >         for each of 
    >         >         our agents 
    >         >         >         that log 
    >         >         >         >         into 
    >         >         >         >         > different servers. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > So far I have 
    installed the 
    >         Apache2 
    >         >         package on 
    >         >         >         Ubuntu 14.04, 
    >         >         >         >         added a 
    >         >         >         >         > realm and a token, 
    and 
    >         attached that 
    >         >         token to a 
    >         >         >         specific 
    >         >         >         >         machine. The 
    >         >         >         >         > server is currently 
    pointed 
    >         >         to /etc/passwd for the 
    >         >         >         users 
    >         >         >         >         list. I also 
    >         >         >         >         > have a machine 
    resolver 
    >         pointed 
    >         >         >         to /etc/mysshhosts. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > I have installed the 
    admin 
    >         client on the 
    >         >         server I 
    >         >         >         am wanting 
    >         >         >         >         to SSH 
    >         >         >         >         > into. I have added 
    the 
    >         [default] file 
    >         >         >         >         > 
    >         to /etc/privacyidea/authorizedkeys. I 
    >         >         have also 
    >         >         >         edited the 
    >         >         >         >         ssh_config 
    >         >         >         >         > file to add in the 
    >         authorizedkeyscommand 
    >         >         file and 
    >         >         >         user. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > From the client 
    system when 
    >         running 
    >         >         >         > 
    "privacyidea-authorizedkeys 
    >         root", 
    >         >         >         >         > it successfully 
    returns the 
    >         correct SSH 
    >         >         key from 
    >         >         >         the main 
    >         >         >         >         server. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > When I try to login 
    from the 
    >         device with 
    >         >         said SSH 
    >         >         >         key, it 
    >         >         >         >         says the 
    >         >         >         >         > server refused the 
    key and 
    >         prompts for 
    >         >         the 
    >         >         >         password. When 
    >         >         >         >         running SSHD 
    >         >         >         >         > in debug mode, I am 
    getting 
    >         this error: 
    >         >         "error: 
    >         >         >         >         > 
    >         >         > 
    >         > 
    > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         >         root failed, 
    >         >         >         >         > status 5" 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > I have tried to find 
    what this 
    >         error 
    >         >         status 5 
    >         >         >         means but 
    >         >         >         >         cannot find 
    >         >         >         >         > any information. I 
    can provide 
    >         more 
    >         >         information if 
    >         >         >         needed. I 
    >         >         >         >         have used 
    >         >         >         >         > various guides from 
    >         howtoforge, and 
    >         >         information 
    >         >         >         from the 
    >         >         >         >         PrivacyIdea 
    >         >         >         >         > documentation, as 
    well as this 
    >         group, to 
    >         >         install 
    >         >         >         and 
    >         >         >         >         configure the 
    >         >         >         >         > software. There very 
    well may 
    >         be 
    >         >         mistakes along 
    >         >         >         the way I 
    >         >         >         >         have made as 
    >         >         >         >         > I am still learning 
    the 
    >         software. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Any help and 
    guidance is 
    >         greatly 
    >         >         appreciated. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Thanks! 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Arthur 
    >         >         >         >         > -- 
    >         >         >         >         > You received this 
    message 
    >         because you 
    >         >         are 
    >         >         >         subscribed to the 
    >         >         >         >         Google 
    >         >         >         >         > Groups "privacyidea" 
    group. 
    >         >         >         >         > To unsubscribe from 
    this group 
    >         and stop 
    >         >         receiving 
    >         >         >         emails 
    >         >         >         >         from it, send 
    >         >         >         >         > an email to 
    >         >         privacyidea...@googlegroups.com. 
    >         >         >         >         > To post to this 
    group, send 
    >         email to 
    >         >         >         > 
    priva...@googlegroups.com. 
    >         >         >         >         > To view this 
    discussion on the 
    >         web 
    >         >         visit 
    >         >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >

https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com.

    >         >         >         >         > For more options, 
    visit 
    >         >         > 
    https://groups.google.com/d/optout. 
    >         >         >         >         
    >         >         >         >         -- 
    >         >         >         >         Cornelius Kölbel 
    >         >         >         > 
    corneliu...@netknights.it 
    >         >         >         >         +49 151 2960 1417 
    >         >         >         >         
    >         >         >         >         NetKnights GmbH 
    >         >         >         > 
    http://www.netknights.it 
    >         >         >         >         Landgraf-Karl-Str. 19, 
    34131 
    >         Kassel, 
    >         >         Germany 
    >         >         >         >         Tel: +49 561 3166797, 
    Fax: +49 
    >         561 
    >         >         3166798 
    >         >         >         >         
    >         >         >         >         Amtsgericht Kassel, 
    HRB 16405 
    >         >         >         >         Geschäftsführer: 
    Cornelius 
    >         Kölbel 
    >         >         >         >         
    >         >         >         >         
    >         >         >         > -- 
    >         >         >         > You received this message 
    because you 
    >         are 
    >         >         subscribed to the 
    >         >         >         Google 
    >         >         >         > Groups "privacyidea" group. 
    >         >         >         > To unsubscribe from this group 
    and stop 
    >         receiving 
    >         >         emails 
    >         >         >         from it, send 
    >         >         >         > an email to 
    >         privacyidea...@googlegroups.com. 
    >         >         >         > To post to this group, send 
    email to 
    >         >         >         priva...@googlegroups.com. 
    >         >         >         > To view this discussion on the 
    web 
    >         visit 
    >         >         >         > 
    >         >         > 
    >         > 
    >

https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com.

    >         >         >         > For more options, visit 
    >         >         https://groups.google.com/d/optout. 
    >         >         >         
    >         >         >         -- 
    >         >         >         Cornelius Kölbel 
    >         >         >         corneliu...@netknights.it 
    >         >         >         +49 151 2960 1417 
    >         >         >         
    >         >         >         NetKnights GmbH 
    >         >         >         http://www.netknights.it 
    >         >         >         Landgraf-Karl-Str. 19, 34131 
    Kassel, 
    >         Germany 
    >         >         >         Tel: +49 561 3166797, Fax: +49 
    561 
    >         3166798 
    >         >         >         
    >         >         >         Amtsgericht Kassel, HRB 16405 
    >         >         >         Geschäftsführer: Cornelius 
    Kölbel 
    >         >         >         
    >         >         >         
    >         >         > -- 
    >         >         > You received this message because you 
    are 
    >         subscribed to the 
    >         >         Google 
    >         >         > Groups "privacyidea" group. 
    >         >         > To unsubscribe from this group and stop 
    receiving 
    >         emails 
    >         >         from it, send 
    >         >         > an email to 
    privacyidea...@googlegroups.com. 
    >         >         > To post to this group, send email to 
    >         >         priva...@googlegroups.com. 
    >         >         > To view this discussion on the web 
    visit 
    >         >         > 
    >         > 
    >

https://groups.google.com/d/msgid/privacyidea/70d9e885-5ba9-4718-886d-eebe71587085%40googlegroups.com.

    >         >         > For more options, visit 
    >         https://groups.google.com/d/optout. 
    >         >         
    >         >         -- 
    >         >         Cornelius Kölbel 
    >         >         corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://www.netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         > -- 
    >         > You received this message because you are 
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving 
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >

https://groups.google.com/d/msgid/privacyidea/731b0af5-1bde-45b4-b777-69400c7517f8%40googlegroups.com.

    >         > For more options, visit 
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 
    https://groups.google.com/d/msgid/privacyidea...

cornelinux · December 29, 2015, 7:18am

Hi Arthur,

the privacyidea.log only exists on the privacyidea server!

But the output of the command

privacyidea-authorizedkeys root

help. This command must only output the public ssh keys.
The urllib warning will confuse the SSH server. So we need to avoid
these.
Either get a trusted SSL certificate to install on your privacyIDEA
server (recommended solution to avoid MitM attacks)

For now, you can add --nosslcheck as parameter or add

nosslcheck = True

to your config file.

Kind regards
Cornelius

arthur.schoenfeld@gmail.com:Am Montag, den 28.12.2015, 21:43 -0800 schrieb

Hi Cornelius,

Here is the output from the ‘privacyidea-authorizedkeys root’ command:

[root@satellite110 ~]# privacyidea-authorizedkeys root

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: Advanced Usage - urllib3 2.1.0 documentation

InsecureRequestWarning)

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: Advanced Usage - urllib3 2.1.0 documentation

InsecureRequestWarning)

ssh-rss AAAAB3NzaC1yc2EAAAABJQAA…3OfrrRj4/+O8XC6XT9k=
iphone-rsa-key-20151225

I figured the HTTPS error wasn’t an issue and that it should still
work from what I read at the security.html it recommends reading, but
I may have read it wrong.

Here is the log file from the SSH server:

[2015-12-29
00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188]
user u’root’ found in resolver u’deflocal’

[2015-12-29
00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189]
userid resolved to ‘0’

[2015-12-29
00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188]
user u’root’ found in resolver u’deflocal’

[2015-12-29
00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189]
userid resolved to ‘0’

[2015-12-29
00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within ‘/home/privacyidea’

[2015-12-29
00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within ‘/home/privacyidea’

Unfortunately I still don’t have /var/log/privacyidea/privacyidea.log
file on the client machine that I am trying to SSH into. I did add a
file there manually hoping it would maybe use it after running the
‘privacyidea-authorizedkeys root’ command, but the file is empty.

I also edited the client’s config file located
in /etc/privacyidea/authorizedkeys and added these lines:

PI_LOGFILE = “/var/log/privacyidea/privacyidea.log”

PI_LOGLEVEL = 10

I also added those same lines to /usr/bin/privacyidea-authorizedkeys
and changed DEBUG to true:

VERSION = ‘2.4’

DEBUG = True

DESCRIPTION = doc

DEFAULT_CONFIG = “/etc/privacyidea/authorizedkeyscommand”

PI_LOGLEVEL = 10

PI_LOGFILE = “/var/log/privacyidea/privacyidea.log”

Even with all the I’m still not seeing a log file anywhere on the
client machine. I must be doing something wrong if it isn’t generating
one for us.

I hope I am not tiring you, I apologize for my ignorance with this.
The missing log file is perplexing me. Thank you so much for your time
and help with this.

Thanks,

Arthur

On Monday, December 28, 2015 at 2:15:30 AM UTC-7, Cornelius Kölbel wrote:
Hi Arthur,

    you do not need the privacyidea server software on the client
    (which in 
    this case is your SSH server). 
    
    On the client side you only need privacyidea-authorizedkeys. 
    This script is located in the module privacyideaadm. 
    
    You only need one config file: 
    https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35 
    
    This should do it. 
    
    As you can run the command from the command line successfully,
    it seems 
    fine. 
    
    Can you please send the very detailed output/stdout of the
    command 
    
            privacyidea-authorizedkeys root 
    
    (I want to make sure, that there is no other disturbing
    output) 
    
    and send the /var/log/privacyidea/privacyidea.log file from
    the event, 
    when tryping to ssh into the ssh server? 
    
    Thanks a lot 
    Cornelius 
    
    
    Am Sonntag, den 27.12.2015, 09:30 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Hi Cornelius, 
    > 
    > 
    > I have the log and config file on the PrivacyIdea SSH
    server, but on 
    > the client that I am trying to SSH into (the one giving the
    status 5 
    > error), I don't have either file. 
    > 
    > 
    > On the client I ran this command to install the PrivacyIdea
    admin 
    > client: 
    > 
    > 
    > pip install privacyideaadm 
    > 
    > 
    > 
    > I used this guide when I installed that: 
    > 
    > 
    >
    https://www.howtoforge.com/tutorial/ssh-key-management-with-privacyidea/ 
    > 
    > 
    > 
    > Do I need to install the full PrivacyIdea software on the
    client as 
    > well, or can I just define the config file according to the 
    > documentation with the admin client? Or is the config file
    for the 
    > admin client located somewhere I'm not looking? I've looked
    in the 
    > three places the documentation stated that you linked. 
    > 
    > 
    > Thank you so much for all your help, I really appreciate
    it. 
    > 
    > 
    > Thanks, 
    > 
    > 
    > Arthur 
    > 
    > On Sunday, December 27, 2015 at 1:16:06 AM UTC-7, Cornelius Kölbel  wrote: 
    >         Hallo Arthur, 
    >         
    >         can you please take a look into the privacyidea.log,
    which is 
    >         usually 
    >         located at /var/log/privacyidea/. 
    >         
    >         In the moment of authentication, when sshd calls 
    >         "privacyidea-authorizedkeys", this might give us a
    clue, what 
    >         happens in 
    >         this moment. 
    >         If needed please increase the log level 
    >
    http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Samstag, den 26.12.2015, 09:22 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hi Cornelius, 
    >         > 
    >         > 
    >         > Thanks for the quick reply! 
    >         > 
    >         > 
    >         > Here is a snippet of my sshd_config file in
    regards to 
    >         authorizedkeys. 
    >         > 
    >         > 
    >         > # The default is to check
    both .ssh/authorized_keys 
    >         > and .ssh/authorized_keys2 
    >         > 
    >         > # but this is overridden so installations will
    only 
    >         > check .ssh/authorized_keys 
    >         > 
    >         > AuthorizedKeysFile .ssh/authorized_keys 
    >         > 
    >         > 
    >         > #AuthorizedPrincipalsFile none 
    >         > 
    >         > 
    >         >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         > 
    >         > AuthorizedKeysCommandUser root 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > I am running the command as root, both when
    manually 
    >         checking and when 
    >         > connecting. The user that the token is attached to
    on the 
    >         PrivacyIdea 
    >         > server side is also root. 
    >         > 
    >         > 
    >         > Thanks! 
    >         > 
    >         > 
    >         > Arthur 
    >         > 
    >         > On Saturday, December 26, 2015 at 10:14:39 AM UTC-7,  Cornelius Kölbel  wrote: 
    >         >         Hello Arthur, 
    >         >         
    >         >         are you running the command as the same
    user? 
    >         >         
    >         >         I.e. when running manually you are running
    as user 
    >         "root" I 
    >         >         suppose. 
    >         >         The command needs access to the
    configuration file. 
    >         So if the 
    >         >         authorizedKeysCommand is run as another
    user, you 
    >         might fail. 
    >         >         
    >         >         How does your sshd_config look like in
    regards to 
    >         >         authorizedkeys? 
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         Am Samstag, den 26.12.2015, 08:03 -0800 schrieb 
    >         >         arthur.s...@gmail.com: 
    >         >         > Hello! 
    >         >         > 
    >         >         > 
    >         >         > I am running into an issue trying to
    setup 
    >         PrivacyIdea for 
    >         >         our system. 
    >         >         > I am hoping to use this to distribute
    SSH keys to 
    >         our 
    >         >         servers from the 
    >         >         > one main PrivacyIdea server for each of
    our agents 
    >         that log 
    >         >         into 
    >         >         > different servers. 
    >         >         > 
    >         >         > 
    >         >         > So far I have installed the Apache2
    package on 
    >         Ubuntu 14.04, 
    >         >         added a 
    >         >         > realm and a token, and attached that
    token to a 
    >         specific 
    >         >         machine. The 
    >         >         > server is currently pointed
    to /etc/passwd for the 
    >         users 
    >         >         list. I also 
    >         >         > have a machine resolver pointed 
    >         to /etc/mysshhosts. 
    >         >         > 
    >         >         > 
    >         >         > I have installed the admin client on the
    server I 
    >         am wanting 
    >         >         to SSH 
    >         >         > into. I have added the [default] file 
    >         >         > to /etc/privacyidea/authorizedkeys. I
    have also 
    >         edited the 
    >         >         ssh_config 
    >         >         > file to add in the authorizedkeyscommand
    file and 
    >         user. 
    >         >         > 
    >         >         > 
    >         >         > From the client system when running 
    >         >         "privacyidea-authorizedkeys root", 
    >         >         > it successfully returns the correct SSH
    key from 
    >         the main 
    >         >         server. 
    >         >         > 
    >         >         > 
    >         >         > When I try to login from the device with
    said SSH 
    >         key, it 
    >         >         says the 
    >         >         > server refused the key and prompts for
    the 
    >         password. When 
    >         >         running SSHD 
    >         >         > in debug mode, I am getting this error:
    "error: 
    >         >         > 
    >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         root failed, 
    >         >         > status 5" 
    >         >         > 
    >         >         > 
    >         >         > I have tried to find what this error
    status 5 
    >         means but 
    >         >         cannot find 
    >         >         > any information. I can provide more
    information if 
    >         needed. I 
    >         >         have used 
    >         >         > various guides from howtoforge, and
    information 
    >         from the 
    >         >         PrivacyIdea 
    >         >         > documentation, as well as this group, to
    install 
    >         and 
    >         >         configure the 
    >         >         > software. There very well may be
    mistakes along 
    >         the way I 
    >         >         have made as 
    >         >         > I am still learning the software. 
    >         >         > 
    >         >         > 
    >         >         > Any help and guidance is greatly
    appreciated. 
    >         >         > 
    >         >         > 
    >         >         > Thanks! 
    >         >         > 
    >         >         > 
    >         >         > Arthur 
    >         >         > -- 
    >         >         > You received this message because you
    are 
    >         subscribed to the 
    >         >         Google 
    >         >         > Groups "privacyidea" group. 
    >         >         > To unsubscribe from this group and stop
    receiving 
    >         emails 
    >         >         from it, send 
    >         >         > an email to
    privacyidea...@googlegroups.com. 
    >         >         > To post to this group, send email to 
    >         >         priva...@googlegroups.com. 
    >         >         > To view this discussion on the web
    visit 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com. 
    >         >         > For more options, visit 
    >         https://groups.google.com/d/optout. 
    >         >         
    >         >         -- 
    >         >         Cornelius Kölbel 
    >         >         corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://www.netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         > -- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/70d9e885-5ba9-4718-886d-eebe71587085%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/731b0af5-1bde-45b4-b777-69400c7517f8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

arthur.schoenfeld · January 8, 2016, 2:47am

Cornelius,

Thank you so much for all of your help!

Sorry for the delay in my responses, I had to put this on the back burner
the past two weeks due to other projects that took priority. It is still a
mission critical project for us though. I will definitely recommend your
company services to the CEO of my company.

I’ll let you know how the bash script works and I’ll be in touch.

Thanks again for all your help.

Thanks,

ArthurOn Tuesday, December 29, 2015 at 1:37:27 PM UTC-7, Cornelius Kölbel wrote:

Hi Arthur,

you can create a bash script, that sets the environment variable:

    #!/bin/bash 
    export PYTHONWARNINGS="ignore:Unverified HTTPS request" 
    privacyidea-authorizedkeys --nosslcheck $@

Then you could use this script as AuthorizedKeysCommand.
For now.

But using an untrusted certificate allows for a man in the middle
attack.

I will add an issue, so that

the error can be ignored without bash script
the privacyidea-authorizedkeys will accept your own CA certificates

You should at all cost assure that the client (ssh server) trusts the
privacyIDEA server certificate.

For what it’s worth. If you only have a surface knowledge but this topic
is mission critiacl to you: My company provides all kind of support
around this topic. So we could do remote sessions or on-site workshop,
help to setup the certificate, configure privacyidea and the client side
and you can also get a service level agreement:

One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung
privacyIDEA Support Level

Kind regards
Cornelius

Am Dienstag, den 29.12.2015, 11:55 -0800 schrieb
arthur.s...@gmail.com <javascript:>:

Cornelius,

I ran it as you said, and the error messages are gone, and only the
key was returned.

[root@satellite110 ~]# PYTHONWARNINGS=“ignore:Unverified HTTPS
request” \

privacyidea-authorizedkeys root

ssh-rss AAAAB3Nz…gq3OfrrRj4/+O8XC6XT9k= iphone-rsa-key-20151225

[root@satellite110 ~]#

I have a surface level knowledge of this and am trying to learn and
understand, but I’m not sure if I should disable that or just learn
how to implement a certificate on the server. If a cert is the right
way to go I can do that. If the status 5 error I was originally was
getting was just due to the client passing the SSH server the key,
plus the junk from the warnings, that would make sense why it rejects
the key, since it’s not the key, it’s the key + warning message
garbage - I hope I understand that properly, if not let me know.

Is there a way to permanently disable this or get it working for now
without the SSL?

Thanks,

Arthur

On Tuesday, December 29, 2015 at 12:47:45 PM UTC-7, Cornelius Kölbel wrote:
Hi Arthur,
    oh, no I understand. 
    This is a warning from the urllib3 library, that an https 
    request is 
    performed without verifying the certificate. 
    
    To bad. Hm, we know that we are doing nasty stuff. All this 
    software 
    that tries to educate us... 
    
    Try to run it this way: 
    
    PYTHONWARNINGS="ignore:Unverified HTTPS request" \   
       privacyidea-authorizedkeys root 
    
    Kind regards 
    Cornelius 
    
    
    Am Dienstag, den 29.12.2015, 11:42 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Cornelius, 
    > 
    > 
    > I tried with the --nosslcheck parameter at the command line, 
    it gave 
    > the same output results: 
    > 
    > 
    > [root@satellite110 ~]# privacyidea-authorizedkeys 
    --nosslcheck root 
    > 
    > 

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

    > 
    >   InsecureRequestWarning) 
    > 
    >

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

    > 
    >   InsecureRequestWarning) 
    > 
    > ssh-rss AAAAB3NzaC1yc2EAAAAB.....XC6XT9k= 
    iphone-rsa-key-20151225 
    > 
    > 
    > 
    > 
    > 
    > 
    > I am thinking of wiping and reinstalling the client server, 
    maybe I 
    > installed incorrectly, or possibly disabling the warning 
    message 
    > entirely. Any thoughts or suggestions on this? 
    > 
    > 
    > Thanks again for everything. 
    > 
    > 
    > Arthur 
    > 
    > On Tuesday, December 29, 2015 at 12:33:09 PM UTC-7,  Cornelius Kölbel  wrote: 
    >         Hm, maybe the nosslcheck parameter in the config 
    file is 
    >         broken 
    >         
    >         You can run at the commandline: 
    >         
    >         privacyidea-authorizedkeys --nosslcheck root 
    >         
    >         This should suppress the error message. 
    >         Just drop me a note, if it does. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Dienstag, den 29.12.2015, 11:21 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Hi Cornelius, 
    >         > 
    >         > 
    >         > That makes sense about the log file. 
    >         > 
    >         > 
    >         > Just to clarify, for the nosslcheck = true option, 
    is that 
    >         added to 
    >         > the client's config file 
    >         (/etc/privacyidea/authorizedkeyscommand), or 
    >         > to the SSH server, or both? 
    >         > 
    >         > 
    >         > I will work towards getting a certificate in 
    place. I have 
    >         actually 
    >         > had nosslcheck = true part of my client's config 
    file from 
    >         before I 
    >         > posted here, and it has always given that error 
    message on 
    >         the output. 
    >         > Would I need to disable the SSL warning instead, 
    or should 
    >         the 
    >         > nosslcheck prevent the warning from appearing? 
    >         > 
    >         > 
    >         > Here is my complete config file from the client 
    >         > (/etc/privacyidea/authorizedkeyscommand: 
    >         > 
    >         > 
    >         > [Default] 
    >         > 
    >         > url=https://<IP> 
    >         > 
    >         > admin=**** 
    >         > 
    >         > password=**** 
    >         > 
    >         > nosslcheck = True 
    >         > 
    >         > 
    >         > Thanks, 
    >         > 
    >         > 
    >         > Arthur 
    >         > 
    >         > 
    >         > On Tuesday, December 29, 2015 at 12:18:14 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         Hi Arthur, 
    >         >         
    >         >         the privacyidea.log only exists on the 
    privacyidea 
    >         server! 
    >         >         
    >         >         But the output of the command 
    >         >         
    >         >          privacyidea-authorizedkeys root 
    >         >         
    >         >         
    >         >         help. This command must only output the 
    public ssh 
    >         keys. 
    >         >         The urllib warning will confuse the SSH 
    server. So 
    >         we need to 
    >         >         avoid 
    >         >         these. 
    >         >         Either get a trusted SSL certificate to 
    install on 
    >         your 
    >         >         privacyIDEA 
    >         >         server (recommended solution to avoid MitM 
    attacks) 
    >         >         
    >         >         For now, you can add --nosslcheck as 
    parameter or 
    >         add 
    >         >         
    >         >                 nosslcheck = True 
    >         >         
    >         >         to your config file. 
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         Am Montag, den 28.12.2015, 21:43 -0800  schrieb 
    >         >         arthur.s...@gmail.com: 
    >         >         > Hi Cornelius, 
    >         >         > 
    >         >         > 
    >         >         > Here is the output from the 
    >         'privacyidea-authorizedkeys 
    >         >         root' command: 
    >         >         > 
    >         >         > 
    >         >         > [root@satellite110 ~]# 
    privacyidea-authorizedkeys 
    >         root 
    >         >         > 
    >         > 
    > 
    >

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

    >         >         > 
    >         >         >   InsecureRequestWarning) 
    >         >         > 
    >         > 
    > 
    >

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation

    >         >         > 
    >         >         >   InsecureRequestWarning) 
    >         >         > 
    >         >         > ssh-rss 
    >         AAAAB3NzaC1yc2EAAAABJQAA.....3OfrrRj4/+O8XC6XT9k= 
    >         >         > iphone-rsa-key-20151225 
    >         >         > 
    >         >         > 
    >         >         > I figured the HTTPS error wasn't an 
    issue and that 
    >         it should 
    >         >         still 
    >         >         > work from what I read at the 
    security.html it 
    >         recommends 
    >         >         reading, but 
    >         >         > I may have read it wrong. 
    >         >         > 
    >         >         > 
    >         >         > Here is the log file from the SSH 
    server: 
    >         >         > 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188]

    >         >         > user u'root' found in resolver 
    u'deflocal' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189]

    >         >         > userid resolved to '0' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188]

    >         >         > user u'root' found in resolver 
    u'deflocal' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189]

    >         >         > userid resolved to '0' 
    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         >         > 
    >         >         > [2015-12-29 
    >         >         > 
    >         > 
    >

00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’

    >         >         > 
    >         >         > 
    >         >         > Unfortunately I still don't 
    >         >         have /var/log/privacyidea/privacyidea.log 
    >         >         > file on the client machine that I am 
    trying to SSH 
    >         into. I 
    >         >         did add a 
    >         >         > file there manually hoping it would 
    maybe use it 
    >         after 
    >         >         running the 
    >         >         > 'privacyidea-authorizedkeys root' 
    command, but the 
    >         file is 
    >         >         empty. 
    >         >         > 
    >         >         > 
    >         >         > I also edited the client's config file 
    located 
    >         >         > in /etc/privacyidea/authorizedkeys and 
    added these 
    >         lines: 
    >         >         > 
    >         >         > 
    >         >         > PI_LOGFILE = 
    >         "/var/log/privacyidea/privacyidea.log" 
    >         >         > 
    >         >         > PI_LOGLEVEL = 10 
    >         >         > 
    >         >         > 
    >         >         > I also added those same lines 
    >         >         to /usr/bin/privacyidea-authorizedkeys 
    >         >         > and changed DEBUG to true: 
    >         >         > 
    >         >         > 
    >         >         > VERSION = '2.4' 
    >         >         > 
    >         >         > DEBUG = True 
    >         >         > 
    >         >         > DESCRIPTION = __doc__ 
    >         >         > 
    >         >         > DEFAULT_CONFIG = 
    >         "/etc/privacyidea/authorizedkeyscommand" 
    >         >         > 
    >         >         > PI_LOGLEVEL = 10 
    >         >         > 
    >         >         > PI_LOGFILE = 
    >         "/var/log/privacyidea/privacyidea.log" 
    >         >         > 
    >         >         > 
    >         >         > Even with all the I'm still not seeing a 
    log file 
    >         anywhere 
    >         >         on the 
    >         >         > client machine. I must be doing 
    something wrong if 
    >         it isn't 
    >         >         generating 
    >         >         > one for us. 
    >         >         > 
    >         >         > 
    >         >         > I hope I am not tiring you, I apologize 
    for my 
    >         ignorance 
    >         >         with this. 
    >         >         > The missing log file is perplexing me. 
    Thank you 
    >         so much for 
    >         >         your time 
    >         >         > and help with this. 
    >         >         > 
    >         >         > 
    >         >         > Thanks, 
    >         >         > 
    >         >         > 
    >         >         > Arthur 
    >         >         > 
    >         >         > 
    >         >         > On Monday, December 28, 2015 at 2:15:30  AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         >         Hi Arthur, 
    >         >         >         
    >         >         >         you do not need the privacyidea 
    server 
    >         software on 
    >         >         the client 
    >         >         >         (which in 
    >         >         >         this case is your SSH server). 
    >         >         >         
    >         >         >         On the client side you only 
    need 
    >         >         privacyidea-authorizedkeys. 
    >         >         >         This script is located in the 
    module 
    >         >         privacyideaadm. 
    >         >         >         
    >         >         >         You only need one config file: 
    >         >         > 
    >         > 
    >

https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35

    >         >         >         
    >         >         >         This should do it. 
    >         >         >         
    >         >         >         As you can run the command from 
    the 
    >         command line 
    >         >         successfully, 
    >         >         >         it seems 
    >         >         >         fine. 
    >         >         >         
    >         >         >         Can you please send the very 
    detailed 
    >         output/stdout 
    >         >         of the 
    >         >         >         command 
    >         >         >         
    >         >         > 
    privacyidea-authorizedkeys root 
    >         >         >         
    >         >         >         (I want to make sure, that there 
    is no 
    >         other 
    >         >         disturbing 
    >         >         >         output) 
    >         >         >         
    >         >         >         and send 
    >         the /var/log/privacyidea/privacyidea.log 
    >         >         file from 
    >         >         >         the event, 
    >         >         >         when tryping to ssh into the ssh 
    server? 
    >         >         >         
    >         >         >         Thanks a lot 
    >         >         >         Cornelius 
    >         >         >         
    >         >         >         
    >         >         >         Am Sonntag, den 27.12.2015,  09:30 -0800  schrieb 
    >         >         >         arthur.s...@gmail.com: 
    >         >         >         > Hi Cornelius, 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I have the log and config file 
    on the 
    >         PrivacyIdea 
    >         >         SSH 
    >         >         >         server, but on 
    >         >         >         > the client that I am trying to 
    SSH into 
    >         (the one 
    >         >         giving the 
    >         >         >         status 5 
    >         >         >         > error), I don't have either 
    file. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > On the client I ran this 
    command to 
    >         install the 
    >         >         PrivacyIdea 
    >         >         >         admin 
    >         >         >         > client: 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > pip install privacyideaadm 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I used this guide when I 
    installed 
    >         that: 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >

SSH Key Management with privacyIDEA

    >         >         >         > 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Do I need to install the full 
    >         PrivacyIdea software 
    >         >         on the 
    >         >         >         client as 
    >         >         >         > well, or can I just define the 
    config 
    >         file 
    >         >         according to the 
    >         >         >         > documentation with the admin 
    client? Or 
    >         is the 
    >         >         config file 
    >         >         >         for the 
    >         >         >         > admin client located somewhere 
    I'm not 
    >         looking? 
    >         >         I've looked 
    >         >         >         in the 
    >         >         >         > three places the documentation 
    stated 
    >         that you 
    >         >         linked. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thank you so much for all your 
    help, I 
    >         really 
    >         >         appreciate 
    >         >         >         it. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thanks, 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Arthur 
    >         >         >         > 
    >         >         >         > On Sunday, December 27, 2015  at 1:16:06  AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         >         >         Hallo Arthur, 
    >         >         >         >         
    >         >         >         >         can you please take a 
    look into 
    >         the 
    >         >         privacyidea.log, 
    >         >         >         which is 
    >         >         >         >         usually 
    >         >         >         >         located 
    >         at /var/log/privacyidea/. 
    >         >         >         >         
    >         >         >         >         In the moment of 
    authentication, 
    >         when sshd 
    >         >         calls 
    >         >         >         > 
    "privacyidea-authorizedkeys", 
    >         this might 
    >         >         give us a 
    >         >         >         clue, what 
    >         >         >         >         happens in 
    >         >         >         >         this moment. 
    >         >         >         >         If needed please 
    increase the 
    >         log level 
    >         >         >         > 
    >         >         > 
    >         > 
    >

2.6. Debugging and Logging — privacyIDEA 3.8 documentation

    >         >         >         >         
    >         >         >         >         Kind regards 
    >         >         >         >         Cornelius 
    >         >         >         >         
    >         >         >         >         Am Samstag, den  26.12.2015,  09:22 -0800  schrieb 
    >         >         >         > 
    arthur.s...@gmail.com: 
    >         >         >         >         > Hi Cornelius, 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Thanks for the quick 
    reply! 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Here is a snippet of 
    my 
    >         sshd_config file 
    >         >         in 
    >         >         >         regards to 
    >         >         >         >         authorizedkeys. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > # The default is to 
    check 
    >         >         >         both .ssh/authorized_keys 
    >         >         >         >         > 
    and .ssh/authorized_keys2 
    >         >         >         >         > 
    >         >         >         >         > # but this is 
    overridden so 
    >         >         installations will 
    >         >         >         only 
    >         >         >         >         > 
    check .ssh/authorized_keys 
    >         >         >         >         > 
    >         >         >         >         > 
    >         AuthorizedKeysFile .ssh/authorized_keys 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > 
    #AuthorizedPrincipalsFile 
    >         none 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         > 
    >         > 
    > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         >         > 
    >         >         >         >         > 
    AuthorizedKeysCommandUser 
    >         root 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > I am running the 
    command as 
    >         root, both 
    >         >         when 
    >         >         >         manually 
    >         >         >         >         checking and when 
    >         >         >         >         > connecting. The user 
    that the 
    >         token is 
    >         >         attached to 
    >         >         >         on the 
    >         >         >         >         PrivacyIdea 
    >         >         >         >         > server side is also 
    root. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Thanks! 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Arthur 
    >         >         >         >         > 
    >         >         >         >         > On Saturday,  December 26, 2015  at  10:14:39 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         >         >         >         Hello 
    Arthur, 
    >         >         >         >         >         
    >         >         >         >         >         are you 
    running the 
    >         command as 
    >         >         the same 
    >         >         >         user? 
    >         >         >         >         >         
    >         >         >         >         >         I.e. when 
    running 
    >         manually you 
    >         >         are running 
    >         >         >         as user 
    >         >         >         >         "root" I 
    >         >         >         >         >         suppose. 
    >         >         >         >         >         The command 
    needs 
    >         access to the 
    >         >         >         configuration file. 
    >         >         >         >         So if the 
    >         >         >         >         > 
    authorizedKeysCommand 
    >         is run as 
    >         >         another 
    >         >         >         user, you 
    >         >         >         >         might fail. 
    >         >         >         >         >         
    >         >         >         >         >         How does 
    your 
    >         sshd_config look 
    >         >         like in 
    >         >         >         regards to 
    >         >         >         >         > 
    authorizedkeys? 
    >         >         >         >         >         
    >         >         >         >         >         Kind 
    regards 
    >         >         >         >         >         Cornelius 
    >         >         >         >         >         
    >         >         >         >         >         Am Samstag,  den  26.12.2015,  08:03 -0800  schrieb 
    >         >         >         >         > 
    >         arthur.s...@gmail.com: 
    >         >         >         >         >         > Hello! 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > I am 
    running into an 
    >         issue 
    >         >         trying to 
    >         >         >         setup 
    >         >         >         >         PrivacyIdea for 
    >         >         >         >         >         our system. 
    >         >         >         >         >         > I am 
    hoping to use 
    >         this to 
    >         >         distribute 
    >         >         >         SSH keys to 
    >         >         >         >         our 
    >         >         >         >         >         servers from 
    the 
    >         >         >         >         >         > one main 
    PrivacyIdea 
    >         server 
    >         >         for each of 
    >         >         >         our agents 
    >         >         >         >         that log 
    >         >         >         >         >         into 
    >         >         >         >         >         > different 
    servers. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > So far I 
    have 
    >         installed the 
    >         >         Apache2 
    >         >         >         package on 
    >         >         >         >         Ubuntu 14.04, 
    >         >         >         >         >         added a 
    >         >         >         >         >         > realm and 
    a token, 
    >         and 
    >         >         attached that 
    >         >         >         token to a 
    >         >         >         >         specific 
    >         >         >         >         >         machine. 
    The 
    >         >         >         >         >         > server is 
    currently 
    >         pointed 
    >         >         >         to /etc/passwd for the 
    >         >         >         >         users 
    >         >         >         >         >         list. I 
    also 
    >         >         >         >         >         > have a 
    machine 
    >         resolver 
    >         >         pointed 
    >         >         >         >         to /etc/mysshhosts. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > I have 
    installed the 
    >         admin 
    >         >         client on the 
    >         >         >         server I 
    >         >         >         >         am wanting 
    >         >         >         >         >         to SSH 
    >         >         >         >         >         > into. I 
    have added 
    >         the 
    >         >         [default] file 
    >         >         >         >         >         > 
    >         >         to /etc/privacyidea/authorizedkeys. I 
    >         >         >         have also 
    >         >         >         >         edited the 
    >         >         >         >         >         ssh_config 
    >         >         >         >         >         > file to 
    add in the 
    >         >         authorizedkeyscommand 
    >         >         >         file and 
    >         >         >         >         user. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > From the 
    client 
    >         system when 
    >         >         running 
    >         >         >         >         > 
    >         "privacyidea-authorizedkeys 
    >         >         root", 
    >         >         >         >         >         > it 
    successfully 
    >         returns the 
    >         >         correct SSH 
    >         >         >         key from 
    >         >         >         >         the main 
    >         >         >         >         >         server. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > When I try 
    to login 
    >         from the 
    >         >         device with 
    >         >         >         said SSH 
    >         >         >         >         key, it 
    >         >         >         >         >         says the 
    >         >         >         >         >         > server 
    refused the 
    >         key and 
    >         >         prompts for 
    >         >         >         the 
    >         >         >         >         password. When 
    >         >         >         >         >         running 
    SSHD 
    >         >         >         >         >         > in debug 
    mode, I am 
    >         getting 
    >         >         this error: 
    >         >         >         "error: 
    >         >         >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    > 
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         >         >         root 
    failed, 
    >         >         >         >         >         > status 5" 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > I have 
    tried to find 
    >         what this 
    >         >         error 
    >         >         >         status 5 
    >         >         >         >         means but 
    >         >         >         >         >         cannot find 
    >         >         >         >         >         > any 
    information. I 
    >         can p...

cornelinux · January 8, 2016, 7:33am

Hello Arthur,

you are welcome.
You using privacyidea and giving feedback also helps to improve the
software.

Thanks to all you users!

Kind regards
Cornelius

arthur.schoenfeld@gmail.com:Am Donnerstag, den 07.01.2016, 18:47 -0800 schrieb

Cornelius,

Thank you so much for all of your help!

Sorry for the delay in my responses, I had to put this on the back
burner the past two weeks due to other projects that took priority. It
is still a mission critical project for us though. I will definitely
recommend your company services to the CEO of my company.

I’ll let you know how the bash script works and I’ll be in touch.

Thanks again for all your help.

Thanks,

Arthur

On Tuesday, December 29, 2015 at 1:37:27 PM UTC-7, Cornelius Kölbel wrote:
Hi Arthur,

    you can create a bash script, that sets the environment
    variable: 
    
            #!/bin/bash 
            export PYTHONWARNINGS="ignore:Unverified HTTPS
    request" 
            privacyidea-authorizedkeys --nosslcheck $@ 
    
    Then you could use this script as AuthorizedKeysCommand. 
    For now. 
    
    But using an untrusted certificate allows for a man in the
    middle 
    attack. 
    
    I will add an issue, so that 
    
    1. the error can be ignored without bash script 
    2. the privacyidea-authorizedkeys will accept your own CA
    certificates 
    
    You should at all cost assure that the client (ssh server)
    trusts the 
    privacyIDEA server certificate. 
    
    For what it's worth. If you only have a surface knowledge but
    this topic 
    is mission critiacl to you: My company provides all kind of
    support 
    around this topic. So we could do remote sessions or on-site
    workshop, 
    help to setup the certificate, configure privacyidea and the
    client side 
    and you can also get a service level agreement: 
    
    https://netknights.it/en/leistungen/one-time-services/ 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    
    Kind regards 
    Cornelius 
    
    
    Am Dienstag, den 29.12.2015, 11:55 -0800 schrieb 
    arthur.s...@gmail.com: 
    > Cornelius, 
    > 
    > 
    > I ran it as you said, and the error messages are gone, and
    only the 
    > key was returned. 
    > 
    > 
    > [root@satellite110 ~]# PYTHONWARNINGS="ignore:Unverified
    HTTPS 
    > request" \ 
    > 
    > > privacyidea-authorizedkeys root 
    > 
    > ssh-rss AAAAB3Nz....gq3OfrrRj4/+O8XC6XT9k=
    iphone-rsa-key-20151225 
    > 
    > [root@satellite110 ~]# 
    > 
    > 
    > 
    > 
    > I have a surface level knowledge of this and am trying to
    learn and 
    > understand, but I'm not sure if I should disable that or
    just learn 
    > how to implement a certificate on the server. If a cert is
    the right 
    > way to go I can do that. If the status 5 error I was
    originally was 
    > getting was just due to the client passing the SSH server
    the key, 
    > plus the junk from the warnings, that would make sense why
    it rejects 
    > the key, since it's not the key, it's the key + warning
    message 
    > garbage - I hope I understand that properly, if not let me
    know. 
    > 
    > 
    > Is there a way to permanently disable this or get it working
    for now 
    > without the SSL? 
    > 
    > 
    > Thanks, 
    > 
    > 
    > Arthur 
    > 
    > On Tuesday, December 29, 2015 at 12:47:45 PM UTC-7, Cornelius Kölbel  wrote: 
    >         Hi Arthur, 
    >         
    >         oh, no I understand. 
    >         This is a warning from the urllib3 library, that an
    https 
    >         request is 
    >         performed without verifying the certificate. 
    >         
    >         To bad. Hm, we know that we are doing nasty stuff.
    All this 
    >         software 
    >         that tries to educate us... 
    >         
    >         Try to run it this way: 
    >         
    >         PYTHONWARNINGS="ignore:Unverified HTTPS request" \
      
    >            privacyidea-authorizedkeys root 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         Am Dienstag, den 29.12.2015, 11:42 -0800 schrieb 
    >         arthur.s...@gmail.com: 
    >         > Cornelius, 
    >         > 
    >         > 
    >         > I tried with the --nosslcheck parameter at the
    command line, 
    >         it gave 
    >         > the same output results: 
    >         > 
    >         > 
    >         > [root@satellite110 ~]# privacyidea-authorizedkeys 
    >         --nosslcheck root 
    >         > 
    >
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    >         > 
    >         >   InsecureRequestWarning) 
    >         > 
    >
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    >         > 
    >         >   InsecureRequestWarning) 
    >         > 
    >         > ssh-rss AAAAB3NzaC1yc2EAAAAB.....XC6XT9k= 
    >         iphone-rsa-key-20151225 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > 
    >         > I am thinking of wiping and reinstalling the
    client server, 
    >         maybe I 
    >         > installed incorrectly, or possibly disabling the
    warning 
    >         message 
    >         > entirely. Any thoughts or suggestions on this? 
    >         > 
    >         > 
    >         > Thanks again for everything. 
    >         > 
    >         > 
    >         > Arthur 
    >         > 
    >         > On Tuesday, December 29, 2015 at 12:33:09 PM UTC-7,  Cornelius Kölbel  wrote: 
    >         >         Hm, maybe the nosslcheck parameter in the
    config 
    >         file is 
    >         >         broken 
    >         >         
    >         >         You can run at the commandline: 
    >         >         
    >         >         privacyidea-authorizedkeys --nosslcheck
    root 
    >         >         
    >         >         This should suppress the error message. 
    >         >         Just drop me a note, if it does. 
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         Am Dienstag, den 29.12.2015, 11:21 -0800 schrieb 
    >         >         arthur.s...@gmail.com: 
    >         >         > Hi Cornelius, 
    >         >         > 
    >         >         > 
    >         >         > That makes sense about the log file. 
    >         >         > 
    >         >         > 
    >         >         > Just to clarify, for the nosslcheck =
    true option, 
    >         is that 
    >         >         added to 
    >         >         > the client's config file 
    >         >         (/etc/privacyidea/authorizedkeyscommand),
    or 
    >         >         > to the SSH server, or both? 
    >         >         > 
    >         >         > 
    >         >         > I will work towards getting a
    certificate in 
    >         place. I have 
    >         >         actually 
    >         >         > had nosslcheck = true part of my
    client's config 
    >         file from 
    >         >         before I 
    >         >         > posted here, and it has always given
    that error 
    >         message on 
    >         >         the output. 
    >         >         > Would I need to disable the SSL warning
    instead, 
    >         or should 
    >         >         the 
    >         >         > nosslcheck prevent the warning from
    appearing? 
    >         >         > 
    >         >         > 
    >         >         > Here is my complete config file from the
    client 
    >         >         >
    (/etc/privacyidea/authorizedkeyscommand: 
    >         >         > 
    >         >         > 
    >         >         > [Default] 
    >         >         > 
    >         >         > url=https://<IP> 
    >         >         > 
    >         >         > admin=**** 
    >         >         > 
    >         >         > password=**** 
    >         >         > 
    >         >         > nosslcheck = True 
    >         >         > 
    >         >         > 
    >         >         > Thanks, 
    >         >         > 
    >         >         > 
    >         >         > Arthur 
    >         >         > 
    >         >         > 
    >         >         > On Tuesday, December 29, 2015 at 12:18:14 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         >         Hi Arthur, 
    >         >         >         
    >         >         >         the privacyidea.log only exists
    on the 
    >         privacyidea 
    >         >         server! 
    >         >         >         
    >         >         >         But the output of the command 
    >         >         >         
    >         >         >          privacyidea-authorizedkeys
    root 
    >         >         >         
    >         >         >         
    >         >         >         help. This command must only
    output the 
    >         public ssh 
    >         >         keys. 
    >         >         >         The urllib warning will confuse
    the SSH 
    >         server. So 
    >         >         we need to 
    >         >         >         avoid 
    >         >         >         these. 
    >         >         >         Either get a trusted SSL
    certificate to 
    >         install on 
    >         >         your 
    >         >         >         privacyIDEA 
    >         >         >         server (recommended solution to
    avoid MitM 
    >         attacks) 
    >         >         >         
    >         >         >         For now, you can add
    --nosslcheck as 
    >         parameter or 
    >         >         add 
    >         >         >         
    >         >         >                 nosslcheck = True 
    >         >         >         
    >         >         >         to your config file. 
    >         >         >         
    >         >         >         Kind regards 
    >         >         >         Cornelius 
    >         >         >         
    >         >         >         Am Montag, den 28.12.2015, 21:43 0800  schrieb 
    >         >         >         arthur.s...@gmail.com: 
    >         >         >         > Hi Cornelius, 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Here is the output from the 
    >         >         'privacyidea-authorizedkeys 
    >         >         >         root' command: 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > [root@satellite110 ~]# 
    >         privacyidea-authorizedkeys 
    >         >         root 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    >         >         >         > 
    >         >         >         >   InsecureRequestWarning) 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    > /usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html 
    >         >         >         > 
    >         >         >         >   InsecureRequestWarning) 
    >         >         >         > 
    >         >         >         > ssh-rss 
    >         >
    AAAAB3NzaC1yc2EAAAABJQAA.....3OfrrRj4/+O8XC6XT9k= 
    >         >         >         > iphone-rsa-key-20151225 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I figured the HTTPS error
    wasn't an 
    >         issue and that 
    >         >         it should 
    >         >         >         still 
    >         >         >         > work from what I read at the 
    >         security.html it 
    >         >         recommends 
    >         >         >         reading, but 
    >         >         >         > I may have read it wrong. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Here is the log file from the
    SSH 
    >         server: 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188] 
    >         >         >         > user u'root' found in
    resolver 
    >         u'deflocal' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189] 
    >         >         >         > userid resolved to '0' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188] 
    >         >         >         > user u'root' found in
    resolver 
    >         u'deflocal' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189] 
    >         >         >         > userid resolved to '0' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         >         > 
    >         >         >         > [2015-12-29 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea' 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Unfortunately I still don't 
    >         >         >
    have /var/log/privacyidea/privacyidea.log 
    >         >         >         > file on the client machine
    that I am 
    >         trying to SSH 
    >         >         into. I 
    >         >         >         did add a 
    >         >         >         > file there manually hoping it
    would 
    >         maybe use it 
    >         >         after 
    >         >         >         running the 
    >         >         >         > 'privacyidea-authorizedkeys
    root' 
    >         command, but the 
    >         >         file is 
    >         >         >         empty. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I also edited the client's
    config file 
    >         located 
    >         >         >         >
    in /etc/privacyidea/authorizedkeys and 
    >         added these 
    >         >         lines: 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > PI_LOGFILE = 
    >         >         "/var/log/privacyidea/privacyidea.log" 
    >         >         >         > 
    >         >         >         > PI_LOGLEVEL = 10 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I also added those same lines 
    >         >         >
    to /usr/bin/privacyidea-authorizedkeys 
    >         >         >         > and changed DEBUG to true: 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > VERSION = '2.4' 
    >         >         >         > 
    >         >         >         > DEBUG = True 
    >         >         >         > 
    >         >         >         > DESCRIPTION = __doc__ 
    >         >         >         > 
    >         >         >         > DEFAULT_CONFIG = 
    >         >         "/etc/privacyidea/authorizedkeyscommand" 
    >         >         >         > 
    >         >         >         > PI_LOGLEVEL = 10 
    >         >         >         > 
    >         >         >         > PI_LOGFILE = 
    >         >         "/var/log/privacyidea/privacyidea.log" 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Even with all the I'm still
    not seeing a 
    >         log file 
    >         >         anywhere 
    >         >         >         on the 
    >         >         >         > client machine. I must be
    doing 
    >         something wrong if 
    >         >         it isn't 
    >         >         >         generating 
    >         >         >         > one for us. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > I hope I am not tiring you, I
    apologize 
    >         for my 
    >         >         ignorance 
    >         >         >         with this. 
    >         >         >         > The missing log file is
    perplexing me. 
    >         Thank you 
    >         >         so much for 
    >         >         >         your time 
    >         >         >         > and help with this. 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Thanks, 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > Arthur 
    >         >         >         > 
    >         >         >         > 
    >         >         >         > On Monday, December 28, 2015 at 2:15:30  AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         >         >         Hi Arthur, 
    >         >         >         >         
    >         >         >         >         you do not need the
    privacyidea 
    >         server 
    >         >         software on 
    >         >         >         the client 
    >         >         >         >         (which in 
    >         >         >         >         this case is your SSH
    server). 
    >         >         >         >         
    >         >         >         >         On the client side you
    only 
    >         need 
    >         >         >         privacyidea-authorizedkeys. 
    >         >         >         >         This script is located
    in the 
    >         module 
    >         >         >         privacyideaadm. 
    >         >         >         >         
    >         >         >         >         You only need one
    config file: 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35 
    >         >         >         >         
    >         >         >         >         This should do it. 
    >         >         >         >         
    >         >         >         >         As you can run the
    command from 
    >         the 
    >         >         command line 
    >         >         >         successfully, 
    >         >         >         >         it seems 
    >         >         >         >         fine. 
    >         >         >         >         
    >         >         >         >         Can you please send
    the very 
    >         detailed 
    >         >         output/stdout 
    >         >         >         of the 
    >         >         >         >         command 
    >         >         >         >         
    >         >         >         > 
    >         privacyidea-authorizedkeys root 
    >         >         >         >         
    >         >         >         >         (I want to make sure,
    that there 
    >         is no 
    >         >         other 
    >         >         >         disturbing 
    >         >         >         >         output) 
    >         >         >         >         
    >         >         >         >         and send 
    >         >         the /var/log/privacyidea/privacyidea.log 
    >         >         >         file from 
    >         >         >         >         the event, 
    >         >         >         >         when tryping to ssh
    into the ssh 
    >         server? 
    >         >         >         >         
    >         >         >         >         Thanks a lot 
    >         >         >         >         Cornelius 
    >         >         >         >         
    >         >         >         >         
    >         >         >         >         Am Sonntag, den 27.12.2015,  09:30 -0800  schrieb 
    >         >         >         >
    arthur.s...@gmail.com: 
    >         >         >         >         > Hi Cornelius, 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > I have the log and
    config file 
    >         on the 
    >         >         PrivacyIdea 
    >         >         >         SSH 
    >         >         >         >         server, but on 
    >         >         >         >         > the client that I am
    trying to 
    >         SSH into 
    >         >         (the one 
    >         >         >         giving the 
    >         >         >         >         status 5 
    >         >         >         >         > error), I don't have
    either 
    >         file. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > On the client I ran
    this 
    >         command to 
    >         >         install the 
    >         >         >         PrivacyIdea 
    >         >         >         >         admin 
    >         >         >         >         > client: 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > pip install
    privacyideaadm 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > I used this guide
    when I 
    >         installed 
    >         >         that: 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    https://www.howtoforge.com/tutorial/ssh-key-management-with-privacyidea/ 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Do I need to install
    the full 
    >         >         PrivacyIdea software 
    >         >         >         on the 
    >         >         >         >         client as 
    >         >         >         >         > well, or can I just
    define the 
    >         config 
    >         >         file 
    >         >         >         according to the 
    >         >         >         >         > documentation with
    the admin 
    >         client? Or 
    >         >         is the 
    >         >         >         config file 
    >         >         >         >         for the 
    >         >         >         >         > admin client located
    somewhere 
    >         I'm not 
    >         >         looking? 
    >         >         >         I've looked 
    >         >         >         >         in the 
    >         >         >         >         > three places the
    documentation 
    >         stated 
    >         >         that you 
    >         >         >         linked. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Thank you so much
    for all your 
    >         help, I 
    >         >         really 
    >         >         >         appreciate 
    >         >         >         >         it. 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Thanks, 
    >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         >         > Arthur 
    >         >         >         >         > 
    >         >         >         >         > On Sunday, December 27, 2015  at 1:16:06  AM UTC-7,  Cornelius  Kölbel  wrote: 
    >         >         >         >         >         Hallo
    Arthur, 
    >         >         >         >         >         
    >         >         >         >         >         can you
    please take a 
    >         look into 
    >         >         the 
    >         >         >         privacyidea.log, 
    >         >         >         >         which is 
    >         >         >         >         >         usually 
    >         >         >         >         >         located 
    >         >         at /var/log/privacyidea/. 
    >         >         >         >         >         
    >         >         >         >         >         In the
    moment of 
    >         authentication, 
    >         >         when sshd 
    >         >         >         calls 
    >         >         >         >         > 
    >         "privacyidea-authorizedkeys", 
    >         >         this might 
    >         >         >         give us a 
    >         >         >         >         clue, what 
    >         >         >         >         >         happens in 
    >         >         >         >         >         this
    moment. 
    >         >         >         >         >         If needed
    please 
    >         increase the 
    >         >         log level 
    >         >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html 
    >         >         >         >         >         
    >         >         >         >         >         Kind
    regards 
    >         >         >         >         >         Cornelius 
    >         >         >         >         >         
    >         >         >         >         >         Am Samstag, den  26.12.2015,  09:22 -0800  schrieb 
    >         >         >         >         > 
    >         arthur.s...@gmail.com: 
    >         >         >         >         >         > Hi
    Cornelius, 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > Thanks for
    the quick 
    >         reply! 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > Here is a
    snippet of 
    >         my 
    >         >         sshd_config file 
    >         >         >         in 
    >         >         >         >         regards to 
    >         >         >         >         >
    authorizedkeys. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > # The
    default is to 
    >         check 
    >         >         >         >
    both .ssh/authorized_keys 
    >         >         >         >         >         > 
    >         and .ssh/authorized_keys2 
    >         >         >         >         >         > 
    >         >         >         >         >         > # but this
    is 
    >         overridden so 
    >         >         >         installations will 
    >         >         >         >         only 
    >         >         >         >         >         > 
    >         check .ssh/authorized_keys 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         AuthorizedKeysFile .ssh/authorized_keys 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         #AuthorizedPrincipalsFile 
    >         >         none 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         AuthorizedKeysCommandUser 
    >         >         root 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > I am
    running the 
    >         command as 
    >         >         root, both 
    >         >         >         when 
    >         >         >         >         manually 
    >         >         >         >         >         checking and
    when 
    >         >         >         >         >         >
    connecting. The user 
    >         that the 
    >         >         token is 
    >         >         >         attached to 
    >         >         >         >         on the 
    >         >         >         >         >         PrivacyIdea 
    >         >         >         >         >         > server
    side is also 
    >         root. 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > Thanks! 
    >         >         >         >         >         > 
    >         >         >         >         >         > 
    >         >         >         >         >         > Arthur 
    >         >         >         >         >         > 
    >         >         >         >         >         > On Saturday,  December 26, 2015  at  10:14:39 AM  UTC-7,  Cornelius Kölbel  wrote: 
    >         >         >         >         >         >
    Hello 
    >         Arthur, 
    >         >         >         >         >         >         
    >         >         >         >         >         >
    are you 
    >         running the 
    >         >         command as 
    >         >         >         the same 
    >         >         >         >         user? 
    >         >         >         >         >         >         
    >         >         >         >         >         >
    I.e. when 
    >         running 
    >         >         manually you 
    >         >         >         are running 
    >         >         >         >         as user 
    >         >         >         >         >         "root" I 
    >         >         >         >         >         >
    suppose. 
    >         >         >         >         >         >
    The command 
    >         needs 
    >         >         access to the 
    >         >         >         >         configuration file. 
    >         >         >         >         >         So if the 
    >         >         >         >         >         > 
    >         authorizedKeysCommand 
    >         >         is run as 
    >         >         >         another 
    >         >         >         >         user, you 
    >         >         >         >         >         might fail. 
    >         >         >         >         >         >         
    >         >         >         >         >         >
    How does 
    >         your 
    >         >         sshd_config look 
    >         >         >         like in 
    >         >         >         >         regards to 
    >         >         >         >         >         > 
    >         authorizedkeys? 
    >         >         >         >         >         >         
    >         >         >         >         >         >
    Kind 
    >         regards 
    >         >         >         >         >         >
    Cornelius 
    >         >         >         >         >         >         
    >         >         >         >         >         >         Am Samstag,  den  26.12.2015,  08:03 -0800  schrieb 
    >         >         >         >         >         > 
    >         >         arthur.s...@gmail.com: 
    >         >         >         >         >         >         >
    Hello! 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         >
    I am 
    >         running into an 
    >         >         issue 
    >         >         >         trying to 
    >         >         >         >         setup 
    >         >         >         >         >         PrivacyIdea
    for 
    >         >         >         >         >         >
    our system. 
    >         >         >         >         >         >         >
    I am 
    >         hoping to use 
    >         >         this to 
    >         >         >         distribute 
    >         >         >         >         SSH keys to 
    >         >         >         >         >         our 
    >         >         >         >         >         >
    servers from 
    >         the 
    >         >         >         >         >         >         >
    one main 
    >         PrivacyIdea 
    >         >         server 
    >         >         >         for each of 
    >         >         >         >         our agents 
    >         >         >         >         >         that log 
    >         >         >         >         >         >
    into 
    >         >         >         >         >         >         >
    different 
    >         servers. 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         >
    So far I 
    >         have 
    >         >         installed the 
    >         >         >         Apache2 
    >         >         >         >         package on 
    >         >         >         >         >         Ubuntu
    14.04, 
    >         >         >         >         >         >
    added a 
    >         >         >         >         >         >         >
    realm and 
    >         a token, 
    >         >         and 
    >         >         >         attached that 
    >         >         >         >         token to a 
    >         >         >         >         >         specific 
    >         >         >         >         >         >
    machine. 
    >         The 
    >         >         >         >         >         >         >
    server is 
    >         currently 
    >         >         pointed 
    >         >         >         >         to /etc/passwd for
    the 
    >         >         >         >         >         users 
    >         >         >         >         >         >
    list. I 
    >         also 
    >         >         >         >         >         >         >
    have a 
    >         machine 
    >         >         resolver 
    >         >         >         pointed 
    >         >         >         >         >
    to /etc/mysshhosts. 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         >
    I have 
    >         installed the 
    >         >         admin 
    >         >         >         client on the 
    >         >         >         >         server I 
    >         >         >         >         >         am wanting 
    >         >         >         >         >         >         to
    SSH 
    >         >         >         >         >         >         >
    into. I 
    >         have added 
    >         >         the 
    >         >         >         [default] file 
    >         >         >         >         >         >         > 
    >         >         >
    to /etc/privacyidea/authorizedkeys. I 
    >         >         >         >         have also 
    >         >         >         >         >         edited the 
    >         >         >         >         >         >
    ssh_config 
    >         >         >         >         >         >         >
    file to 
    >         add in the 
    >         >         >         authorizedkeyscommand 
    >         >         >         >         file and 
    >         >         >         >         >         user. 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         >
    From the 
    >         client 
    >         >         system when 
    >         >         >         running 
    >         >         >         >         >         > 
    >         >         "privacyidea-authorizedkeys 
    >         >         >         root", 
    >         >         >         >         >         >         >
    it 
    >         successfully 
    >         >         returns the 
    >         >         >         correct SSH 
    >         >         >         >         key from 
    >         >         >         >         >         the main 
    >         >         >         >         >         >
    server. 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         >
    When I try 
    >         to login 
    >         >         from the 
    >         >         >         device with 
    >         >         >         >         said SSH 
    >         >         >         >         >         key, it 
    >         >         >         >         >         >
    says the 
    >         >         >         >         >         >         >
    server 
    >         refused the 
    >         >         key and 
    >         >         >         prompts for 
    >         >         >         >         the 
    >         >         >         >         >         password.
    When 
    >         >         >         >         >         >
    running 
    >         SSHD 
    >         >         >         >         >         >         >
    in debug 
    >         mode, I am 
    >         >         getting 
    >         >         >         this error: 
    >         >         >         >         "error: 
    >         >         >         >         >         >         > 
    >         >         >         >         > 
    >         >         >         > 
    >         >         > 
    >         > 
    >
    AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys 
    >         >         >         >         >         >
    root 
    >         failed, 
    >         >         >         >         >         >         >
    status 5" 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         > 
    >         >         >         >         >         >         >
    I have 
    >         tried to find 
    >         >         what this 
    >         >         >         error 
    >         >         >         >         status 5 
    >         >         >         >         >         means but 
    >         >         >         >         >         >
    cannot find 
    >         >         >         >         >         >         >
    any 
    >         information. I 
    >         >         can p...

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/eb031865-16f5-4ac9-8401-847acf0d494f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)