search

Azure / azure-linux-extensions

Linux Virtual Machine Extensions for Azure
Apache License 2.0
304 stars 253 forks source link

AADLoginForLinux not working with Ubuntu 20.04 image? #1289

Open 9numbernine9 opened 3 years ago

9numbernine9 commented 3 years ago

Hello!

I've recently been testing some virtual machines using Ubuntu 20.04 LTS, and it seems like the AADLoginForLinux extension doesn't appear to work correctly with this version of Ubuntu.

I first tried creating a VM with (substitute values as needed):

az vm create -g resourcegroup -n mynewvm \
  --image "Canonical:0001-com-ubuntu-server-focal:20_04-lts-gen2:latest" \
  --admin-username admin --admin-password adminpassword --subnet \
  "/subscriptions/subscriptionid/resourceGroups/resourcegroup/providers/Microsoft.Network/virtualNetworks/vnet/subnets/subnet"

And then installing the AADLoginForLinux extension thusly:

az vm extension set -n AADLoginForLinux --publisher Microsoft.Azure.ActiveDirectory.LinuxSSH \
  --resource-group resourcegroup --vm-name mynewvm

And after enabling JIT Access for the new VM in the Azure Portal, tried ssh'ing into the VM with my Azure AD credentials:

ssh 9numbernine9@myorg.org@12.34.56.78   # Or whatever the IP address of this new VM happens to be

Instead of receiving the usual use a web browser to open the page https://microsoft.com/devicelogin prompt, I'm simply prompted for a password for my account. Using my password for my AD account, unsurprisingly, doesn't work.

Using the admin account that I created, however, if I log into the VM and tail -f /var/log/auth.log while trying to log in with my AD account, I see the following log entries:

Jan 12 19:26:21 mynewvm sshd[3128]: nss_aad: Managed System Identity is not enabled for this VM. Returning a user that may or may not exist.
Jan 12 19:26:21 mynewvm aad_certhandler[3130]: Version: 1.0.014460002; user: 9numbernine9@myorg.org
Jan 12 19:26:21 mynewvm aad_certhandler[3130]: The public key is of type ssh-ed25519, not a certificate.
Jan 12 19:26:21 mynewvm sshd[3128]: AuthorizedKeysCommand /usr/sbin/aad_certhandler 9numbernine9@myorg.org AAAAC3NzaC1lZDI1NTE5AAAAIJVu1e2oZYclyDdRVrSHy+M+OrByjAeijdfjxDrZ/Tkl failed, status 2
Jan 12 19:26:21 mynewvm sshd[3131]: pam_aad(sshd:auth): AadAuthenticate, Version: 1.0.014460002; CorrelationId: f241c6d6-9429-47f7-a894-52ce58449367
Jan 12 19:26:21 mynewvm sshd[3131]: pam_aad(sshd:auth): Cannot find the bearer challenge. ResponseHeaders: HTTP/2 401 #015#012cache-control: no-cache#015#012pragma: no-cache#015#012content-type: application/json; charset=utf-8#015#012expires: -1#015#012www-authenticate: Bearer authorization_uri="https://login.windows.net/7cc12d39-5552-4b22-80b6-70296cdd3312", error="invalid_token", error_description="The authentication failed because of missing 'Authorization' header."#015#012x-ms-failure-cause: gateway#015#012x-ms-request-id: 400076e0-9da6-4c0c-99e8-69c826bc76c9#015#012x-ms-correlation-request-id: 400076e0-9da6-4c0c-99e8-69c826bc76c9#015#012x-ms-routing-request-id: CANADACENTRAL:20210112T192621Z:400076e0-9da6-4c0c-99e8-69c826bc76c9#015#012strict-transport-security: max-age=31536000; includeSubDomains#015#012x-content-type-options: nosniff#015#012date: Tue, 12 Jan 2021 19:26:20 GMT#015#012content-length: 115#015#012#015
Jan 12 19:26:21 mynewvm sshd[3128]: error: PAM: Authentication service cannot retrieve authentication info for 9numbernine9@myorg.org from 111.111.111.111
Jan 12 19:26:22 mynewvm sshd[3128]: Connection closed by authenticating user 9numbernine9@myorg.org 111.111.111.111 port 62461 [preauth]

I'm not exactly sure what's going wrong here in this scenario, but it seems like pam_aad is perhaps having difficulty reaching AD or isn't configured correctly after installating the AADLoginForLinux extension? Note that the exact same set of steps works for a Ubuntu 18.04 VM (Canonical:UbuntuServer:18_04-lts-gen2:18.04.202101081) and /var/log/auth.log shows everything working correctly:

Jan 12 21:02:25 mynewvm_1804 sshd[3076]: nss_aad: Managed System Identity is not enabled for this VM. Returning a user that may or may not exist.
Jan 12 21:02:25 mynewvm_1804 aad_certhandler[3084]: Version: 1.0.014460002; user: 9numbernine9@myorg.org
Jan 12 21:02:25 mynewvm_1804 aad_certhandler[3084]: The public key is of type ssh-ed25519, not a certificate.
Jan 12 21:02:25 mynewvm_1804 sshd[3076]: AuthorizedKeysCommand /usr/sbin/aad_certhandler 9numbernine9@myorg.org AAAAC3NzaC1lZDI1NTE5AAAAIJVu1e2oZYclyDdRVrSHy+M+OrByjAeijdfjxDrZ/Tkl failed, status 2
Jan 12 21:02:25 mynewvm_1804 sshd[3085]: pam_aad(sshd:auth): AadAuthenticate, Version: 1.0.014460002; CorrelationId: 13b63ff9-4ede-4298-92b9-2d994dc2593a
Jan 12 21:02:39 mynewvm_1804 sshd[3085]: pam_aad(sshd:account): AadAuthorize, Version: 1.0.014460002; CorrelationId: 13b63ff9-4ede-4298-92b9-2d994dc2593a
Jan 12 21:02:39 mynewvm_1804 sshd[3085]: pam_aad(sshd:account): Login granted for 9numbernine9@myorg.org as an admin.
Jan 12 21:02:39 mynewvm_1804 sshd[3085]: nss_aad: Managed System Identity is not enabled for this VM. Returning a user that may or may not exist.
Jan 12 21:02:39 mynewvm_1804 sshd[3085]: pam_aad(sshd:account): First call for 9numbernine9@myorg.org. Provisioning user data.
Jan 12 21:02:39 mynewvm_1804 aaduseradd[3091]: new user: name=9numbernine9@myorg.org, UID=3544131, GID=3544131, home=/home/9numbernine9, shell=/bin/bash
Jan 12 21:02:39 mynewvm_1804 sshd[3085]: pam_aad(sshd:account): Adding 9numbernine9@myorg.org to aad_admins.
Jan 12 21:02:39 mynewvm_1804 gpasswd[3097]: user 9numbernine9@myorg.org added by root to group aad_admins
Jan 12 21:02:39 mynewvm_1804 sshd[3085]: pam_aad(sshd:account): Adding 9numbernine9@myorg.org to admin.
Jan 12 21:02:39 mynewvm_1804 gpasswd[3101]: user 9numbernine9@myorg.org added by root to group admin
Jan 12 21:02:39 mynewvm_1804 sshd[3076]: Accepted keyboard-interactive/pam for 9numbernine9@myorg.org from 111.111.111.111 port 22626 ssh2
Jan 12 21:02:39 mynewvm_1804 sshd[3076]: pam_unix(sshd:session): session opened for user 9numbernine9@myorg.org by (uid=0)

Any suggestions or insights into this issue would be greatly appreciated!

harshavmb commented 3 years ago

I spent sometime on this issue. In my case (RedHat 7), I had to make below changes for the browser login prompt.

Having made above changes, my custom RedHat7 image worked like the marketplace image.

I'm not sure the above changes would help as the OS distro itself is different but thought of sharing with you if by any chance it's the reason.

Also, the extension documentation is poor and the source code is not available for a dry run :(

Good luck!

roy-work commented 2 years ago

AADLogin has changed somewhat significantly since. (E.g., it now uses ssh certs.)

I tested this again today, and it appears to work now? pam_aad appears to still be part of how it functions, so I'm not completely sure. (I.e., it might not have been the change to certs that cause this to change.) Perhaps something else was fixed, and MS has simply neglected to update the issue.

ddemello commented 2 years ago

Having the same issue here with Ubuntu 20.04.

Aug 22 01:47:08 denis-Virtual-Machine sshd[81513]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.26.64.1 Aug 22 01:47:09 denis-Virtual-Machine sshd[81513]: Failed password for invalid user southamerica\ddemello from 172.26.64.1 port 56390 ssh2 Aug 22 01:47:11 denis-Virtual-Machine sudo: omsagent : problem with defaults entries ; TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/3.x ; USER=root ; Aug 22 01:47:11 denis-Virtual-Machine sudo: omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/3.x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSAuditdPlugin.sh get /var/opt/microsoft/omsagent/917d30b7-ff0d-45ae-bc8c-f0c6ee05b1bf/tmp Aug 22 01:47:11 denis-Virtual-Machine sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Aug 22 01:47:11 denis-Virtual-Machine sudo: pam_unix(sudo:session): session closed for user root Aug 22 01:47:13 denis-Virtual-Machine CRON[81480]: pam_unix(cron:session): session closed for user omsagent Aug 22 01:50:01 denis-Virtual-Machine CRON[81833]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 22 01:50:01 denis-Virtual-Machine CRON[81833]: pam_unix(cron:session): session closed for user root

Is there anyone aware of this issue? I set up the IAM privileges on the right Resource Group following this page: https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux#azure-ad-portal

vdaswani commented 1 year ago

Any resolution for the above issue.

I am also facing some issue related to pam while installing aadsshlogin. AuthPAMMissing

audunsolemdal commented 1 year ago

https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux#supported-linux-distributions-and-azure-regions

Should be supported according to this doc, but I am also getting this issue on a fresh install of ubuntu2204. Works fine on my old ubuntu1804 jumpboxes which I am trying to replace..

Status message
[ExtensionOperationError] Non-zero exit code: 51, /var/lib/waagent/Microsoft.Azure.ActiveDirectory.LinuxSSH.AADLoginForLinux-1.0.1588.3/./installer.sh install [stdout] Machine OS: ubuntu v22.04 Installing... Stopping apt-daily.timer Stopping apt-daily-upgrade.timer Skipping curl installation Configuring microsoft-prod repo Package aadlogin is not published for this version of Linux Starting apt-daily-upgrade.timer Starting apt-daily.timer [stderr] % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 16 100 16 0 0 717 0 --:--:-- --:--:-- --:--:-- 727

edit: seems like i was after the AADSSHLogin extension rather than AADLoginForLinux

RoFz commented 5 months ago

Just got this for an Ubuntu VM using the following image:

    publisher = "Canonical"
    offer     = "0001-com-ubuntu-server-jammy"
    sku       = "22_04-lts-gen2"
    version   = "latest"

lsb_release -a:

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy

/var/log/waagent.log:

2024-03-28T18:11:23.782275Z INFO ExtHandler [Microsoft.Azure.ActiveDirectory.LinuxSSH.AADLoginForLinux-1.0.1588.3] Executing command: /var/lib/waagent/Microsoft.Azure.ActiveDirectory.LinuxSSH.AADLoginForLinux-1.0.1588.3/./installer.sh install with environment variables: {"AZURE_GUEST_AGENT_UNINSTALL_CMD_EXIT_CODE": "NOT_RUN", "AZURE_GUEST_AGENT_EXTENSION_PATH": "/var/lib/waagent/Microsoft.Azure.ActiveDirectory.LinuxSSH.AADLoginForLinux-1.0.1588.3", "AZURE_GUEST_AGENT_EXTENSION_VERSION": "1.0.1588.3", "AZURE_GUEST_AGENT_WIRE_PROTOCOL_ADDRESS": "168.63.129.16", "ConfigSequenceNumber": "0", "AZURE_GUEST_AGENT_EXTENSION_SUPPORTED_FEATURES": "[{\"Key\": \"ExtensionTelemetryPipeline\", \"Value\": \"1.0\"}]"}
2024-03-28T18:11:37.802369Z ERROR ExtHandler ExtHandler Event: name=Microsoft.Azure.ActiveDirectory.LinuxSSH.AADLoginForLinux, op=Install, message=[ExtensionOperationError] Non-zero exit code: 51, /var/lib/waagent/Microsoft.Azure.ActiveDirectory.LinuxSSH.AADLoginForLinux-1.0.1588.3/./installer.sh install
[stdout]
Machine OS: ubuntu v22.04
Installing...
Stopping apt-daily.timer
Stopping apt-daily-upgrade.timer
Skipping curl installation
Configuring microsoft-prod repo
Package aadlogin is not published for this version of Linux
Starting apt-daily-upgrade.timer
Starting apt-daily.timer

[stderr]
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0^M100    16  100    16    0     0   1201      0 --:--:-- --:--:-- --:--:--  1230
, duration=0
2024-03-28T18:11:37.803653Z INFO ExtHandler ExtHandler Downloading extension manifest

Update: this extension has been deprecated and replaced by:

    --publisher Microsoft.Azure.ActiveDirectory \
    --name AADSSHLoginForLinux \

More info here.