Vault SSH OTP key is not working

464 views
Skip to first unread message

Black

unread,
May 29, 2018, 9:03:51 AM5/29/18
to Vault
I was able to generate otp key but the otp key is not working when I tried to ssh to 10.50.1.31


10.50.1.31 - IP of the Vault and I want to generate a ssh otp password on this server

[root@localhost ~]# vault write ssh/creds/otp_key_role ip=10.50.1.31
Key Value
--- -----
lease_id ssh/creds/otp_key_role/32200259-5c89-5189-b140-426c1199cc4c
lease_duration 768h
lease_renewable false
ip 10.50.1.31
key e6b745ec-feef-fc6f-62ac-41379e8ab602
key_type otp
port 22
username admin
[root@localhost ~]# ssh ad...@10.50.1.31
Password:
Password:
Password:
ad...@10.50.1.31's password:
Permission denied, please try again.
ad...@10.50.1.31's password:
Permission denied, please try again.
ad...@10.50.1.31's password:
Received disconnect from 10.50.1.31 port 22:2: Too many authentication failures
Authentication failed.


/etc/pam.d/sshd

#%PAM-1.0
#auth required pam_sepermit.so
#auth substack password-auth
#auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
#@include common-auth
auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /usr/local/bin/vault-ssh-helper -config-file=/etc/vault-ssh-helper/config.hcl
auth optional pam_unix.so no_set_pass use_first_pass nodelay

Black

unread,
May 29, 2018, 9:25:48 AM5/29/18
to Vault
Tried to generate a OTP and try to login but it wont let me login

[root@localhost ~]# ssh ad...@10.50.3.81
The authenticity of host '10.50.3.81 (10.50.3.81)' can't be established.
ECDSA key fingerprint is SHA256:2unjQNwD8A/xQ/8cTUZ/hcZhmnlwW8KLpamjfKUU5k0.
ECDSA key fingerprint is MD5:bf:88:92:af:0d:65:77:f2:b4:5d:d3:5c:26:b5:61:67.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.50.3.81' (ECDSA) to the list of known hosts.
Password:
Password:
Password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).


[root@localhost ~]# vault-ssh-helper -verify -config-file=/etc/vault-ssh-helper/config.hcl
2018/05/29 21:16:18 [INFO] Using SSH Mount point: ssh
2018/05/29 21:16:18 [INFO] Agent verification successful!
[root@localhost ~]# ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.50.3.81

Message has been deleted

Vishal Nayak

unread,
May 29, 2018, 10:00:12 AM5/29/18
to Vault
Hi there,

Can you also share your sshd configuration?

Regards,
Vishal

Black

unread,
May 30, 2018, 1:27:17 AM5/30/18
to Vault
Hi Visha,

Here is the /etc/pam.d/sshd of 10.50.3.81
OS is Centos 7

#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth

Black

unread,
May 30, 2018, 1:28:44 AM5/30/18
to Vault
Here is the configuration file of 10.50.3.81 /etc/pam.d/sshd
OS Centos 7

#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth

Miss.Sh. Aghababaee

unread,
Jan 21, 2020, 3:44:53 AM1/21/20
to Vault
yes i have this problem :(((


در سه‌شنبه 29 مهٔ 2018، ساعت 17:33:51 (UTC+4:30)، Black نوشته:
Reply all
Reply to author
Forward
0 new messages