Also, here is some of the information from the audit of the PrivacyIdea SSH
Server. This was after trying to connect to the client machine with my
device:
‘internal admin’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘184’,‘’,‘None’,‘POST /auth’,‘OK’,‘’,‘None’,‘’,‘2015-12-29T04:00:18’,‘None’,‘None’
‘host: satellite110, application: ssh’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘185’,‘’,‘None’,‘GET /machine/authitem/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T04:00:18’,‘None’,‘None’
‘internal admin’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘186’,‘’,‘None’,‘POST /auth’,‘OK’,‘’,‘None’,‘’,‘2015-12-29T14:35:17’,‘None’,‘None’
‘host: satellite110, application: ssh’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘187’,‘’,‘None’,‘GET /machine/authitem/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T14:35:17’,‘None’,‘None’
‘internal admin’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘188’,‘’,‘None’,‘POST /auth’,‘OK’,‘’,‘None’,‘’,‘2015-12-29T14:43:54’,‘None’,‘None’
‘realm: [’*‘]’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘189’,‘’,‘None’,‘GET /token/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T14:43:55’,‘None’,‘’
‘’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘190’,‘’,‘None’,‘GET /realm/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T14:43:55’,‘None’,‘None’
‘’,‘admin’,‘None’,‘1’,‘’,‘OK’,‘191’,‘’,‘None’,‘GET /audit/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T14:43:57’,‘None’,'’
‘’,‘admin’,‘None’,‘1’,‘’,‘FAIL’,‘192’,‘’,‘None’,‘GET /audit/’,‘OK’,‘None’,‘None’,‘’,‘2015-12-29T14:44:19’,‘None’,‘None’
I changed the IP addresses to , otherwise everything is the same. Not
sure if this helps at all.
Thanks,
ArthurOn Tuesday, December 29, 2015 at 12:42:06 PM UTC-7, arthur.s...@gmail.com wrote:
Cornelius,
I tried with the --nosslcheck parameter at the command line, it gave the
same output results:
[root@satellite110 ~]# privacyidea-authorizedkeys --nosslcheck root
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation
InsecureRequestWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation
InsecureRequestWarning)
ssh-rss AAAAB3NzaC1yc2EAAAAB…XC6XT9k= iphone-rsa-key-20151225
I am thinking of wiping and reinstalling the client server, maybe I
installed incorrectly, or possibly disabling the warning message entirely.
Any thoughts or suggestions on this?
Thanks again for everything.
Arthur
On Tuesday, December 29, 2015 at 12:33:09 PM UTC-7, Cornelius Kölbel wrote:
Hm, maybe the nosslcheck parameter in the config file is broken
You can run at the commandline:
privacyidea-authorizedkeys --nosslcheck root
This should suppress the error message.
Just drop me a note, if it does.
Kind regards
Cornelius
Am Dienstag, den 29.12.2015, 11:21 -0800 schrieb
arthur.s...@gmail.com:
Hi Cornelius,
That makes sense about the log file.
Just to clarify, for the nosslcheck = true option, is that added to
the client’s config file (/etc/privacyidea/authorizedkeyscommand), or
to the SSH server, or both?
I will work towards getting a certificate in place. I have actually
had nosslcheck = true part of my client’s config file from before I
posted here, and it has always given that error message on the output.
Would I need to disable the SSL warning instead, or should the
nosslcheck prevent the warning from appearing?
Here is my complete config file from the client
(/etc/privacyidea/authorizedkeyscommand:
[Default]
url=https://
admin=****
password=****
nosslcheck = True
Thanks,
Arthur
On Tuesday, December 29, 2015 at 12:18:14 AM UTC-7, Cornelius Kölbel wrote:
Hi Arthur,
the privacyidea.log only exists on the privacyidea server!
But the output of the command
privacyidea-authorizedkeys root
help. This command must only output the public ssh keys.
The urllib warning will confuse the SSH server. So we need to
avoid
these.
Either get a trusted SSL certificate to install on your
privacyIDEA
server (recommended solution to avoid MitM attacks)
For now, you can add --nosslcheck as parameter or add
nosslcheck = True
to your config file.
Kind regards
Cornelius
Am Montag, den 28.12.2015, 21:43 -0800 schrieb
arthur.s...@gmail.com:
> Hi Cornelius,
>
>
> Here is the output from the 'privacyidea-authorizedkeys
root' command:
>
>
> [root@satellite110 ~]# privacyidea-authorizedkeys root
>
>
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation
>
> InsecureRequestWarning)
>
>
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation
>
> InsecureRequestWarning)
>
> ssh-rss AAAAB3NzaC1yc2EAAAABJQAA.....3OfrrRj4/+O8XC6XT9k=
> iphone-rsa-key-20151225
>
>
> I figured the HTTPS error wasn't an issue and that it should
still
> work from what I read at the security.html it recommends
reading, but
> I may have read it wrong.
>
>
> Here is the log file from the SSH server:
>
>
> [2015-12-29
>
00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’
>
> [2015-12-29
>
00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188]
> user u'root' found in resolver u'deflocal'
>
> [2015-12-29
>
00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189]
> userid resolved to '0'
>
> [2015-12-29
>
00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’
>
> [2015-12-29
>
00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’
>
> [2015-12-29
>
00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’
>
> [2015-12-29
>
00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’
>
> [2015-12-29
>
00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188]
> user u'root' found in resolver u'deflocal'
>
> [2015-12-29
>
00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189]
> userid resolved to '0'
>
> [2015-12-29
>
00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’
>
> [2015-12-29
>
00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’
>
> [2015-12-29
>
00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130]
loading users from file /etc/passwd from within ‘/home/privacyidea’
>
>
> Unfortunately I still don't
have /var/log/privacyidea/privacyidea.log
> file on the client machine that I am trying to SSH into. I
did add a
> file there manually hoping it would maybe use it after
running the
> 'privacyidea-authorizedkeys root' command, but the file is
empty.
>
>
> I also edited the client's config file located
> in /etc/privacyidea/authorizedkeys and added these lines:
>
>
> PI_LOGFILE = "/var/log/privacyidea/privacyidea.log"
>
> PI_LOGLEVEL = 10
>
>
> I also added those same lines
to /usr/bin/privacyidea-authorizedkeys
> and changed DEBUG to true:
>
>
> VERSION = '2.4'
>
> DEBUG = True
>
> DESCRIPTION = __doc__
>
> DEFAULT_CONFIG = "/etc/privacyidea/authorizedkeyscommand"
>
> PI_LOGLEVEL = 10
>
> PI_LOGFILE = "/var/log/privacyidea/privacyidea.log"
>
>
> Even with all the I'm still not seeing a log file anywhere
on the
> client machine. I must be doing something wrong if it isn't
generating
> one for us.
>
>
> I hope I am not tiring you, I apologize for my ignorance
with this.
> The missing log file is perplexing me. Thank you so much for
your time
> and help with this.
>
>
> Thanks,
>
>
> Arthur
>
>
> On Monday, December 28, 2015 at 2:15:30 AM UTC-7, Cornelius Kölbel wrote:
> Hi Arthur,
>
> you do not need the privacyidea server software on
the client
> (which in
> this case is your SSH server).
>
> On the client side you only need
privacyidea-authorizedkeys.
> This script is located in the module
privacyideaadm.
>
> You only need one config file:
>
https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35
>
> This should do it.
>
> As you can run the command from the command line
successfully,
> it seems
> fine.
>
> Can you please send the very detailed output/stdout
of the
> command
>
> privacyidea-authorizedkeys root
>
> (I want to make sure, that there is no other
disturbing
> output)
>
> and send the /var/log/privacyidea/privacyidea.log
file from
> the event,
> when tryping to ssh into the ssh server?
>
> Thanks a lot
> Cornelius
>
>
> Am Sonntag, den 27.12.2015, 09:30 -0800 schrieb
> arthur.s...@gmail.com:
> > Hi Cornelius,
> >
> >
> > I have the log and config file on the PrivacyIdea
SSH
> server, but on
> > the client that I am trying to SSH into (the one
giving the
> status 5
> > error), I don't have either file.
> >
> >
> > On the client I ran this command to install the
PrivacyIdea
> admin
> > client:
> >
> >
> > pip install privacyideaadm
> >
> >
> >
> > I used this guide when I installed that:
> >
> >
> >
>
SSH Key Management with privacyIDEA
> >
> >
> >
> > Do I need to install the full PrivacyIdea software
on the
> client as
> > well, or can I just define the config file
according to the
> > documentation with the admin client? Or is the
config file
> for the
> > admin client located somewhere I'm not looking?
I've looked
> in the
> > three places the documentation stated that you
linked.
> >
> >
> > Thank you so much for all your help, I really
appreciate
> it.
> >
> >
> > Thanks,
> >
> >
> > Arthur
> >
> > On Sunday, December 27, 2015 at 1:16:06 AM UTC-7, Cornelius Kölbel wrote:
> > Hallo Arthur,
> >
> > can you please take a look into the
privacyidea.log,
> which is
> > usually
> > located at /var/log/privacyidea/.
> >
> > In the moment of authentication, when sshd
calls
> > "privacyidea-authorizedkeys", this might
give us a
> clue, what
> > happens in
> > this moment.
> > If needed please increase the log level
> >
>
2.6. Debugging and Logging — privacyIDEA 3.8 documentation
> >
> > Kind regards
> > Cornelius
> >
> > Am Samstag, den 26.12.2015, 09:22 -0800 schrieb
> > arthur.s...@gmail.com:
> > > Hi Cornelius,
> > >
> > >
> > > Thanks for the quick reply!
> > >
> > >
> > > Here is a snippet of my sshd_config file
in
> regards to
> > authorizedkeys.
> > >
> > >
> > > # The default is to check
> both .ssh/authorized_keys
> > > and .ssh/authorized_keys2
> > >
> > > # but this is overridden so
installations will
> only
> > > check .ssh/authorized_keys
> > >
> > > AuthorizedKeysFile .ssh/authorized_keys
> > >
> > >
> > > #AuthorizedPrincipalsFile none
> > >
> > >
> > >
>
AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys
> > >
> > > AuthorizedKeysCommandUser root
> > >
> > >
> > >
> > >
> > > I am running the command as root, both
when
> manually
> > checking and when
> > > connecting. The user that the token is
attached to
> on the
> > PrivacyIdea
> > > server side is also root.
> > >
> > >
> > > Thanks!
> > >
> > >
> > > Arthur
> > >
> > > On Saturday, December 26, 2015 at 10:14:39 AM UTC-7, Cornelius Kölbel wrote:
> > > Hello Arthur,
> > >
> > > are you running the command as
the same
> user?
> > >
> > > I.e. when running manually you
are running
> as user
> > "root" I
> > > suppose.
> > > The command needs access to the
> configuration file.
> > So if the
> > > authorizedKeysCommand is run as
another
> user, you
> > might fail.
> > >
> > > How does your sshd_config look
like in
> regards to
> > > authorizedkeys?
> > >
> > > Kind regards
> > > Cornelius
> > >
> > > Am Samstag, den 26.12.2015, 08:03 -0800 schrieb
> > > arthur.s...@gmail.com:
> > > > Hello!
> > > >
> > > >
> > > > I am running into an issue
trying to
> setup
> > PrivacyIdea for
> > > our system.
> > > > I am hoping to use this to
distribute
> SSH keys to
> > our
> > > servers from the
> > > > one main PrivacyIdea server
for each of
> our agents
> > that log
> > > into
> > > > different servers.
> > > >
> > > >
> > > > So far I have installed the
Apache2
> package on
> > Ubuntu 14.04,
> > > added a
> > > > realm and a token, and
attached that
> token to a
> > specific
> > > machine. The
> > > > server is currently pointed
> to /etc/passwd for the
> > users
> > > list. I also
> > > > have a machine resolver
pointed
> > to /etc/mysshhosts.
> > > >
> > > >
> > > > I have installed the admin
client on the
> server I
> > am wanting
> > > to SSH
> > > > into. I have added the
[default] file
> > > >
to /etc/privacyidea/authorizedkeys. I
> have also
> > edited the
> > > ssh_config
> > > > file to add in the
authorizedkeyscommand
> file and
> > user.
> > > >
> > > >
> > > > From the client system when
running
> > > "privacyidea-authorizedkeys
root",
> > > > it successfully returns the
correct SSH
> key from
> > the main
> > > server.
> > > >
> > > >
> > > > When I try to login from the
device with
> said SSH
> > key, it
> > > says the
> > > > server refused the key and
prompts for
> the
> > password. When
> > > running SSHD
> > > > in debug mode, I am getting
this error:
> "error:
> > > >
> >
>
AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys
> > > root failed,
> > > > status 5"
> > > >
> > > >
> > > > I have tried to find what this
error
> status 5
> > means but
> > > cannot find
> > > > any information. I can provide
more
> information if
> > needed. I
> > > have used
> > > > various guides from
howtoforge, and
> information
> > from the
> > > PrivacyIdea
> > > > documentation, as well as this
group, to
> install
> > and
> > > configure the
> > > > software. There very well may
be
> mistakes along
> > the way I
> > > have made as
> > > > I am still learning the
software.
> > > >
> > > >
> > > > Any help and guidance is
greatly
> appreciated.
> > > >
> > > >
> > > > Thanks!
> > > >
> > > >
> > > > Arthur
> > > > --
> > > > You received this message
because you
> are
> > subscribed to the
> > > Google
> > > > Groups "privacyidea" group.
> > > > To unsubscribe from this group
and stop
> receiving
> > emails
> > > from it, send
> > > > an email to
> privacyidea...@googlegroups.com.
> > > > To post to this group, send
email to
> > > priva...@googlegroups.com.
> > > > To view this discussion on the
web
> visit