Using Vault with LDAP and SSH Backends
795 views
Skip to first unread message
Hunter Fontenot
Nov 1, 2016, 3:40:06 PM11/1/16
to Vault
On CentOS 7, i have Vault set up with an LDAP Authentication backend, and it works (successfully authenticates and creates a token and all with 'vault auth -method=ldap username=hunter' then enter LDAP password). So i assume the LDAP Auth backend works as expected.
I have also attempted to set up an SSH Secret Backend to go with this.
To use the OTP-style ssh connection method, I set up the otp_key_role role as suggested at https://www.vaultproject.io/docs/secrets/ssh/, and ran 'vault write ssh/creds/otp_key_role ip=x.x.x.x username=hunter'.
That command returns successfully and gives me the otp_key credentials output.
I then set up vault-ssh-helper on my remote host.
I get 'Verification Successful' when i run vault-ssh-helper with the '-verify-only' tag, so I assume my configuration is good and connects to my Vault.
The remote host is also set up as explained on https://github.com/hashicorp/vault-ssh-helper (the sshd_config and pam sshd file). The only difference is that i set the first PAM line as ' auth sufficient' so my local user could log on to fix things.
However, when i try to login as an LDAP user (hunter) via SSH, the 'var/log/secure' logs only state ' pam_exec(sshd:auth): /usr/bin/vault-ssh-helper failed: exit code 1 ' as any indication, which gives me no clue as to why it failed.
When I try to use 'vault ssh -role otp_key_role hun...@x.x.x.x', it returns 'Failed to establish SSH connection:exit status 5' and the logs contain the same vault-ssh-helper error code.
I am wondering how vault-ssh-helper tries to authenticate by default. Am i able to use vault-ssh-helper and LDAP together with Vault? Or would i have to specify LDAP somewhere? Also it would be great to get errors to the vault-ssh-helper log as I don't have any errors in the log.
I'm not much of an SSH or LDAP expert, so any help would be greatly appreciated!
Thanks! -Hunter
Jeff Mitchell
Nov 2, 2016, 3:40:57 PM11/2/16
to vault...@googlegroups.com
Hi Hunter,
To make sure I understand correctly, the remote host without the
different PAM line works as expected?
It would also be good to try running vault-ssh-helper on the remote
host directly (as in, not via PAM, but using the same arguments that
would be invoked) to make sure that it works without being invoked by
PAM/SSH...that would help narrow down the root of the trouble.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/f0248f70-5873-4efd-a596-22bf708a3ceb%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
To make sure I understand correctly, the remote host without the
different PAM line works as expected?
It would also be good to try running vault-ssh-helper on the remote
host directly (as in, not via PAM, but using the same arguments that
would be invoked) to make sure that it works without being invoked by
PAM/SSH...that would help narrow down the root of the trouble.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/f0248f70-5873-4efd-a596-22bf708a3ceb%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Hunter Fontenot
Nov 3, 2016, 12:16:24 PM11/3/16
to Vault
No, the remote host in PAM does not work in any setup I've tried. I was just mentioning the changed line in case it was relevant in any way.
Also, I'm not really sure what you mean by running vault-ssh-helper directly. I ran it on the remote host, with the configuration set up to the vault server, and used the -verify-only tag, and it said 'Verification Successful'. Is that what you were looking for? I'm not sure how to use vault-ssh-helper with 'same arguments'
-Hunter
Jeff Mitchell
Nov 3, 2016, 12:38:24 PM11/3/16
to vault...@googlegroups.com
Hi Hunter,
'verify-only' does ping the Vault server from the helper to verify
connectivity, but obviously doesn't verify any particular OTP. If you
want to mimic what PAM is doing, AFAICT you can fetch a OTP from
Vault, set your environment's PAM_USER env var to contain the name of
the user you're trying to log in as, pass in (e.g. via 'echo -n') the
OTP to the helper's stdin, and see what happens. If it's successful,
it indicates an issue with the PAM setup; if it's not, it might have a
better error message since PAM may be swallowing up what's printed
out.
Best,
Jeff
'verify-only' does ping the Vault server from the helper to verify
connectivity, but obviously doesn't verify any particular OTP. If you
want to mimic what PAM is doing, AFAICT you can fetch a OTP from
Vault, set your environment's PAM_USER env var to contain the name of
the user you're trying to log in as, pass in (e.g. via 'echo -n') the
OTP to the helper's stdin, and see what happens. If it's successful,
it indicates an issue with the PAM setup; if it's not, it might have a
better error message since PAM may be swallowing up what's printed
out.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/bfdf4911-8531-4772-84b4-6c34baeda119%40googlegroups.com.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
Reply all
Reply to author
Forward
0 new messages