error: AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys root failed, status 5

[arthur.s...@gmail.com]

Hello!

I am running into an issue trying to setup PrivacyIdea for our system. I am hoping to use this to distribute SSH keys to our servers from the one main PrivacyIdea server for each of our agents that log into different servers.

So far I have installed the Apache2 package on Ubuntu 14.04, added a realm and a token, and attached that token to a specific machine. The server is currently pointed to /etc/passwd for the users list. I also have a machine resolver pointed to /etc/mysshhosts.

I have installed the admin client on the server I am wanting to SSH into. I have added the [default] file to /etc/privacyidea/authorizedkeys. I have also edited the ssh_config file to add in the authorizedkeyscommand file and user.

From the client system when running "privacyidea-authorizedkeys root", it successfully returns the correct SSH key from the main server.

When I try to login from the device with said SSH key, it says the server refused the key and prompts for the password. When running SSHD in debug mode, I am getting this error: "error: AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys root failed, status 5"

I have tried to find what this error status 5 means but cannot find any information. I can provide more information if needed. I have used various guides from howtoforge, and information from the PrivacyIdea documentation, as well as this group, to install and configure the software. There very well may be mistakes along the way I have made as I am still learning the software.

Any help and guidance is greatly appreciated. 

Thanks!

Arthur

[Cornelius Kölbel]

Hello Arthur,

are you running the command as the same user?

I.e. when running manually you are running as user "root" I suppose.
The command needs access to the configuration file. So if the
authorizedKeysCommand is run as another user, you might fail.

How does your sshd_config look like in regards to authorizedkeys?

Kind regards
Cornelius

Am Samstag, den 26.12.2015, 08:03 -0800 schrieb
arthur.s...@gmail.com:

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/fa6bde1b-3718-4e8f-bbd4-ee5eb440ed46%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[arthur.s...@gmail.com]

Hi Cornelius,

Thanks for the quick reply!

Here is a snippet of my sshd_config file in regards to authorizedkeys.

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

# but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

AuthorizedKeysCommand /usr/bin/privacyidea-authorizedkeys

AuthorizedKeysCommandUser root

I am running the command as root, both when manually checking and when connecting. The user that the token is attached to on the PrivacyIdea server side is also root. 

Thanks!

Arthur

[Cornelius Kölbel]

Hallo Arthur,

can you please take a look into the privacyidea.log, which is usually
located at /var/log/privacyidea/.

In the moment of authentication, when sshd calls
"privacyidea-authorizedkeys", this might give us a clue, what happens in
this moment.
If needed please increase the log level
http://privacyidea.readthedocs.org/en/latest/installation/system/logging.html

Kind regards
Cornelius

Am Samstag, den 26.12.2015, 09:22 -0800 schrieb
arthur.s...@gmail.com:

> https://groups.google.com/d/msgid/privacyidea/d84c69c4-7609-4fcc-a19f-a8614d6093d2%40googlegroups.com.

[arthur.s...@gmail.com]

Hi Cornelius,

I have the log and config file on the PrivacyIdea SSH server, but on the client that I am trying to SSH into (the one giving the status 5 error), I don't have either file. 

On the client I ran this command to install the PrivacyIdea admin client:

pip install privacyideaadm

I used this guide when I installed that:

https://www.howtoforge.com/tutorial/ssh-key-management-with-privacyidea/

Do I need to install the full PrivacyIdea software on the client as well, or can I just define the config file according to the documentation with the admin client? Or is the config file for the admin client located somewhere I'm not looking? I've looked in the three places the documentation stated that you linked.

Thank you so much for all your help, I really appreciate it.

Thanks,

Arthur

[Cornelius Kölbel]

Hi Arthur,

you do not need the privacyidea server software on the client (which in
this case is your SSH server).

On the client side you only need privacyidea-authorizedkeys.
This script is located in the module privacyideaadm.

You only need one config file:
https://github.com/privacyidea/privacyideaadm/blob/master/scripts/privacyidea-authorizedkeys#L35

This should do it.

As you can run the command from the command line successfully, it seems
fine.

Can you please send the very detailed output/stdout of the command

privacyidea-authorizedkeys root

(I want to make sure, that there is no other disturbing output)

and send the /var/log/privacyidea/privacyidea.log file from the event,
when tryping to ssh into the ssh server?

Thanks a lot
Cornelius


Am Sonntag, den 27.12.2015, 09:30 -0800 schrieb

> https://groups.google.com/d/msgid/privacyidea/70d9e885-5ba9-4718-886d-eebe71587085%40googlegroups.com.

[arthur.s...@gmail.com]

Hi Cornelius,

Here is the output from the 'privacyidea-authorizedkeys root' command:

[root@satellite110 ~]# privacyidea-authorizedkeys root 

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html

  InsecureRequestWarning)

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html

  InsecureRequestWarning)

ssh-rss AAAAB3NzaC1yc2EAAAABJQAA.....3OfrrRj4/+O8XC6XT9k= iphone-rsa-key-20151225

I figured the HTTPS error wasn't an issue and that it should still work from what I read at the security.html it recommends reading, but I may have read it wrong.

Here is the log file from the SSH server:

[2015-12-29 00:30:52,517][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'

[2015-12-29 00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:188] user u'root' found in resolver u'deflocal'

[2015-12-29 00:30:52,518][25145][139740788180736][INFO][privacyidea.lib.user:189] userid resolved to '0'

[2015-12-29 00:30:52,576][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'

[2015-12-29 00:30:52,590][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'

[2015-12-29 00:30:52,599][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'

[2015-12-29 00:31:30,746][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'

[2015-12-29 00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:188] user u'root' found in resolver u'deflocal'

[2015-12-29 00:31:30,747][25145][139740788180736][INFO][privacyidea.lib.user:189] userid resolved to '0'

[2015-12-29 00:31:30,794][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'

[2015-12-29 00:31:30,807][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'

[2015-12-29 00:31:30,815][25145][139740788180736][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'

Unfortunately I still don't have /var/log/privacyidea/privacyidea.log file on the client machine that I am trying to SSH into. I did add a file there manually hoping it would maybe use it after running the 'privacyidea-authorizedkeys root' command, but the file is empty.

I also edited the client's config file located in /etc/privacyidea/authorizedkeys and added these lines:

PI_LOGFILE = "/var/log/privacyidea/privacyidea.log"

PI_LOGLEVEL = 10

I also added those same lines to /usr/bin/privacyidea-authorizedkeys and changed DEBUG to true:

VERSION = '2.4'

DEBUG = True

DESCRIPTION = __doc__

DEFAULT_CONFIG = "/etc/privacyidea/authorizedkeyscommand"

PI_LOGLEVEL = 10

PI_LOGFILE = "/var/log/privacyidea/privacyidea.log"

Even with all the I'm still not seeing a log file anywhere on the client machine. I must be doing something wrong if it isn't generating one for us.

I hope I am not tiring you, I apologize for my ignorance with this. The missing log file is perplexing me. Thank you so much for your time and help with this.

Thanks,

Arthur

[Cornelius Kölbel]

Hi Arthur,

the privacyidea.log only exists on the privacyidea server!

But the output of the command

privacyidea-authorizedkeys root


help. This command must only output the public ssh keys.
The urllib warning will confuse the SSH server. So we need to avoid
these.
Either get a trusted SSL certificate to install on your privacyIDEA
server (recommended solution to avoid MitM attacks)

For now, you can add --nosslcheck as parameter or add

nosslcheck = True

to your config file.

Kind regards
Cornelius

Am Montag, den 28.12.2015, 21:43 -0800 schrieb

> https://groups.google.com/d/msgid/privacyidea/731b0af5-1bde-45b4-b777-69400c7517f8%40googlegroups.com.

[arthur.s...@gmail.com]

Hi Cornelius,

That makes sense about the log file.

Just to clarify, for the nosslcheck = true option, is that added to the client's config file (/etc/privacyidea/authorizedkeyscommand), or to the SSH server, or both?

I will work towards getting a certificate in place. I have actually had nosslcheck = true part of my client's config file from before I posted here, and it has always given that error message on the output. Would I need to disable the SSL warning instead, or should the nosslcheck prevent the warning from appearing?

Here is my complete config file from the client (/etc/privacyidea/authorizedkeyscommand:

[Default]

url=https://<IP>

admin=****

password=****

nosslcheck = True

Thanks,

Arthur

[Cornelius Kölbel]

Hm, maybe the nosslcheck parameter in the config file is broken

You can run at the commandline:

privacyidea-authorizedkeys --nosslcheck root

This should suppress the error message.
Just drop me a note, if it does.

Kind regards
Cornelius

Am Dienstag, den 29.12.2015, 11:21 -0800 schrieb

> https://groups.google.com/d/msgid/privacyidea/5ed90dcf-d0ee-455a-bc2d-f957e4bb9d4e%40googlegroups.com.

[arthur.s...@gmail.com]

Cornelius,

I tried with the --nosslcheck parameter at the command line, it gave the same output results:

[root@satellite110 ~]# privacyidea-authorizedkeys --nosslcheck root

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html

  InsecureRequestWarning)

/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html

  InsecureRequestWarning)

ssh-rss AAAAB3NzaC1yc2EAAAAB.....XC6XT9k= iphone-rsa-key-20151225

I am thinking of wiping and reinstalling the client server, maybe I installed incorrectly, or possibly disabling the warning message entirely. Any thoughts or suggestions on this?

Thanks again for everything.

Arthur

[Cornelius Kölbel]

Hi Arthur,

oh, no I understand.
This is a warning from the urllib3 library, that an https request is
performed without verifying the certificate.

To bad. Hm, we know that we are doing nasty stuff. All this software
that tries to educate us...

Try to run it this way:

PYTHONWARNINGS="ignore:Unverified HTTPS request" \
privacyidea-authorizedkeys root

Kind regards
Cornelius


Am Dienstag, den 29.12.2015, 11:42 -0800 schrieb
arthur.s...@gmail.com:

> https://groups.google.com/d/msgid/privacyidea/139a1275-3742-49cf-880c-a24b1b1f69a5%40googlegroups.com.

[arthur.s...@gmail.com]

Also, here is some of the information from the audit of the PrivacyIdea SSH Server. This was after trying to connect to the client machine with my device:

'internal admin','admin','None','1','<IP>','OK','184','<IP>','None','POST /auth','OK','','None','','2015-12-29T04:00:18','None','None'
'host: satellite110, application: ssh','admin','None','1','<IP>','OK','185','<IP>','None','GET /machine/authitem/<application>','OK','None','None','','2015-12-29T04:00:18','None','None'
'internal admin','admin','None','1','<IP>','OK','186','<IP>','None','POST /auth','OK','','None','','2015-12-29T14:35:17','None','None'
'host: satellite110, application: ssh','admin','None','1','<IP>','OK','187','<IP>','None','GET /machine/authitem/<application>','OK','None','None','','2015-12-29T14:35:17','None','None'
'internal admin','admin','None','1','<IP>','OK','188','<IP>','None','POST /auth','OK','','None','','2015-12-29T14:43:54','None','None'
'realm: ['*']','admin','None','1','<IP>','OK','189','<IP>','None','GET /token/','OK','None','None','','2015-12-29T14:43:55','None','**'
'','admin','None','1','<IP>','OK','190','<IP>','None','GET /realm/','OK','None','None','','2015-12-29T14:43:55','None','None'
'','admin','None','1','<IP>','OK','191','<IP>','None','GET /audit/','OK','None','None','','2015-12-29T14:43:57','None','**'
'','admin','None','1','<IP>','FAIL','192','<IP>','None','GET /audit/<csvfile>','OK','None','None','','2015-12-29T14:44:19','None','None'

I changed the IP addresses to <IP>, otherwise everything is the same. Not sure if this helps at all.

Thanks,

Arthur

[arthur.s...@gmail.com]

Cornelius,

I ran it as you said, and the error messages are gone, and only the key was returned.

[root@satellite110 ~]# PYTHONWARNINGS="ignore:Unverified HTTPS request" \

> privacyidea-authorizedkeys root

ssh-rss AAAAB3Nz....gq3OfrrRj4/+O8XC6XT9k= iphone-rsa-key-20151225

[root@satellite110 ~]# 

I have a surface level knowledge of this and am trying to learn and understand, but I'm not sure if I should disable that or just learn how to implement a certificate on the server. If a cert is the right way to go I can do that. If the status 5 error I was originally was getting was just due to the client passing the SSH server the key, plus the junk from the warnings, that would make sense why it rejects the key, since it's not the key, it's the key + warning message garbage - I hope I understand that properly, if not let me know.

Is there a way to permanently disable this or get it working for now without the SSL?

Thanks,

Arthur

>         https://groups.google.com/d/msgid/privacyidea...

[Cornelius Kölbel]

Hi Arthur,

you can create a bash script, that sets the environment variable:

#!/bin/bash
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
privacyidea-authorizedkeys --nosslcheck $@

Then you could use this script as AuthorizedKeysCommand.
For now.

But using an untrusted certificate allows for a man in the middle
attack.

I will add an issue, so that

1. the error can be ignored without bash script
2. the privacyidea-authorizedkeys will accept your own CA certificates

You should at all cost assure that the client (ssh server) trusts the
privacyIDEA server certificate.

For what it's worth. If you only have a surface knowledge but this topic
is mission critiacl to you: My company provides all kind of support
around this topic. So we could do remote sessions or on-site workshop,
help to setup the certificate, configure privacyidea and the client side
and you can also get a service level agreement:

https://netknights.it/en/leistungen/one-time-services/
https://netknights.it/en/leistungen/service-level-agreements/

Kind regards
Cornelius


Am Dienstag, den 29.12.2015, 11:55 -0800 schrieb

> https://groups.google.com/d/msgid/privacyidea/f4d591b0-24b4-4a63-a145-b9b94493e12d%40googlegroups.com.

[arthur.s...@gmail.com]

Cornelius,

Thank you so much for all of your help!

Sorry for the delay in my responses, I had to put this on the back burner the past two weeks due to other projects that took priority. It is still a mission critical project for us though. I will definitely recommend your company services to the CEO of my company.

I'll let you know how the bash script works and I'll be in touch. 

Thanks again for all your help.

Thanks,

Arthur

>         >         can p...

[Cornelius Kölbel]

Hello Arthur,

you are welcome.
You using privacyidea and giving feedback also helps to improve the
software.

Thanks to all you users!

Kind regards
Cornelius

Am Donnerstag, den 07.01.2016, 18:47 -0800 schrieb
arthur.s...@gmail.com:

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/eb031865-16f5-4ac9-8401-847acf0d494f%40googlegroups.com.