Password required when logging via "mccli ssh..."

[benoitroland]

Dear Diana @dianagudu,

I tested the new motley-cue version (v0.4.3) on our compute4punch login node.

I am able to deploy successfully our environment via puppet.

Nevertheless when trying to connect from the login node to the login node itself (the test we do to check that the setup is working fine) via mccli ssh, I am requested for a password, which was not the case before.

The command lines:

eval oidc-agent oidc-add punch-aai mccli ssh c4p-login-dev.gridka.de --debug

gave the output:

debug: HTTP requests cache installed at /root/.cache/mccli_cache.sqlite info: Trying to get ssh hostname from arguments. debug: Running this command to get ssh configuration: ssh -G c4p-login-dev.gridka.de debug: Found hostname by parsing command output: c4p-login-dev.gridka.de info: Got host 'c4p-login-dev.gridka.de', looking for motley_cue service on host. info: Looking for motley_cue service at 'https://c4p-login-dev.gridka.de'... info: ...FOUND IT! info: No access token provided. info: No oidc-agent account provided. info: No issuer URL provided. info: Trying to get list of supported AT issuers from https://c4p-login-dev.gridka.de... info: Using the only issuer supported on service to retrieve token from oidc-agent: https://login.helmholtz.de/oauth2 info: State of your local account: deployed info: Updating local account... debug: { debug: "state": "deployed", debug: "message": "User already existed.", debug: "credentials": { debug: "description": "Local SSH Test Service", debug: "login_help": "Login via mccli ssh {ssh_host}", debug: "ssh_host": "localhost", debug: "ssh_user": "benoit_roland", debug: "commandline": "ssh benoit_roland@localhost" debug: } debug: } Password:

I still need to investigate in which part of the code this request is generated.

Would you have an idea of what could be at the origin of this issue?

Thanks a lot in advance!

Cheers, Benoit

[dianagudu]

Hi Benoit,

yes, there seems to be a problem with the pam module... Can you revert to pam-ssh-oidc_0.1.1-3? Which Linux distribution are you using?

[benoitroland]

Hi Diana,

thanks a lot for your answer.

I am using EL7 (3.10.0-1160.76.1.el7.x86_64).

In my puppet setup, I am installing the package pam-ssh-oidc-autoconfig.

I guess I should use the version 0.1.1-3 for this one as well?

Cheers, Benoit

[benoitroland]

Hello Diana,

so here are some explanations... I am retrieving my rpm from repo.data.kit.edu.

Looking there, I can find:

pam-ssh-oidc-0.1.1-1.x86_64.rpm pam-ssh-oidc-0.1.3-1.x86_64.rpm pam-ssh-oidc-autoconfig-0.1.3-1.x86_64.rpm

So the version you specified in your previous message does not seem to be available.

Cheers, Ben

[dianagudu]

Hi,

you're right, that version was not there for centos 7. Meanwhile, I have removed the version 0.1.3-1 from the repo and added an older version as the latest:

pam-ssh-oidc-0.1.2-8 pam-ssh-oidc-autoconfig-0.1.2-8

Could you try if it works?

[benoitroland]

Hi Diana,

thanks a lot, I will try with this one.

I guess I should first have it available via satellite, in the mirror repo repo.data.kit.edu which I am using to retrieve all the rpm's. I will let you know when it's done...

Thanks! Cheers, ben

[benoitroland]

Hi Diana,

I just tested using the version pam-ssh-oidc-autoconfig-0.1.2-8, and I got: Authentication failed. rather than: Password: :-) Cheers, ben

[dianagudu]

Did you also install the pam-ssh-oidc-0.1.2-8 package?

[benoitroland]

No... In my previous settings, I was only using pam-ssh-oidc-autoconfig. I thought one can use one or the other, simply the configuration is directly generated with the one above. Should I install both?

[dianagudu]

Well, the pam-ssh-oidc-autoconfig pulls in pam-ssh-oidc as dependency and does some additional configurations. If version 0.1.3-1 was already installed, it would not install the older version.

Just make sure that you are using the 0.1.2-8 for pam-ssh-oidc as well.

[benoitroland]

ah, okay, thanks for your explanation. But I rebooted and rebuild the login node, after having updated the configuration in puppet. So it should be a completely fresh deployment. Indeed I got: rpm -q pam-ssh-oidc pam-ssh-oidc-0.1.2-8.x86_64 rpm -q pam-ssh-oidc-autoconfig pam-ssh-oidc-autoconfig-0.1.2-8.x86_64 So it should be fine, in term of installation? Still, I will follow your advice, just to avoid any possible mismatch in the future.

[benoitroland]

Hi Diana, I took care of having both pam-ssh-oidc and pam-ssh-oidc-autoconfig in the puppet settings, just to be on the safe side, but the behaviour -Authentication failed - remains.

[dianagudu]

Hi Benoit, luckily Marcus was able to restore the latest working version from back-up. That is 0.1.3-1. Please try again and let me know if it works.

[marcvs]

Luckily... well... I was the one creating this mess, and I'm really sorry about this. Many Thanks to Diana for following up on this!!!

To avoid this for the future, I was to create a testcase.

@benoitroland: you're not by any chance testing this in an automated fasion, are you?

[benoitroland]

Hi Diana, Marcus,

thanks a lot for your help and time.

I was about to test the version 0.1.3-1, but the rpm is not yet available via the mirror of repo.data.kit.edu in satellite. I will ask for an update tomorrow morning if not yet available.

Concerning the way I am testing. The version of pam-ssh-oidc is defined as a parameter in my puppet configuration, and this parameter is changed via the Puppet-Data. Updating the Puppet-Data and running the puppet agent on the login node propagate the changes.

Cheers, Benoit

[benoitroland]

Hi Diana, Marcus,

mccli ssh is working with this version of pam-ssh-oidc.

Thanks a lot to both of you!

Cheers, ben

[dianagudu]

Hi Benoit, that's great to hear! I can then close this issue.