search

himmelblau-idm / himmelblau

Azure Entra ID Authentication, with PAM and NSS modules.
GNU General Public License v3.0
25 stars 3 forks source link

SSH Authentication Error on RHEL 9: GeneralFailure("InvalidClientRequest") #143

Closed andiariffin closed 1 month ago

andiariffin commented 1 month ago

Description

I am experiencing an issue when attempting to use SSH with Himmelblau. The following error message is displayed:

[sysadmin@xxx]$ 00000000-0000-0000-0000-000000000000 INFO     i [info]: Authentication successful for user 'andi@mycompanydomain.com'
00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: GeneralFailure("InvalidClientRequest")

Steps to Reproduce

  1. Attempt to SSH into the server (localhost): ssh andi@mycompanydomain.com@localhost
  2. Enter credentials: andi@mycompanydomain.com@localhost's password:
  3. SSH failed: Permission denied, please try again.

Expected Behavior

Once the correct password is entered, the login process is followed by entering the MFA token. Once the correct token is entered, users can log into the server using their Entra ID account.

Actual Behavior

The SSH attempt fails after entering the correct password, and the error message [error]: GeneralFailure("InvalidClientRequest") is displayed.

Additional Context

OS: RHEL 9.4 (Plow) Himmelblau version: main (latest commit: https://github.com/himmelblau-idm/himmelblau/commit/363a31a1ea36feade281c9ba198f13501e80cff9)

PAM configuration:

[root@xxx pam.d]# pwd
/etc/pam.d
[root@xxx pam.d]# grep -iR "himmel"
password-auth:auth        sufficient                                   pam_himmelblau.so ignore_unknown_user
password-auth:account     sufficient                                   pam_himmelblau.so ignore_unknown_user
password-auth:session     optional                                     pam_himmelblau.so
[root@xxx pam.d]#

Himmelblau configuration (himmelblau.conf):

[global]
domains = mycompanydomain.com
pam_allow_groups = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,andi@mycompanydomain.com
enable_hello = false

Himmelblau daemon is started using the following command:

[sysadmin@xxx himmelblau]$ /home/sysadmin/himmelblau/target/debug/himmelblaud -d -c /etc/himmelblau/himmelblau.conf &
[sysadmin@xxx himmelblau]$ sudo /home/sysadmin/himmelblau/target/debug/himmelblaud_tasks &

Running the auth-test is successful:

[sysadmin@xxx himmelblau]$ ./target/debug/aad-tool auth-test --name andi@mycompanydomain.com
Password: 
Please type in the code displayed on your authenticator app from your device:
Code: 
auth success!
[sysadmin@xxx himmelblau]$

Running getent command also return a result:

[sysadmin@xxx himmelblau]$ getent passwd andi@mycompanydomain.com
andi@mycompanydomain.com:x:8470000:8470000:Andi Ariffin:/home/andi@mycompanydomain.com:/bin/bash
[sysadmin@xxx himmelblau]$ getent group andi@mycompanydomain.com
andi@mycompanydomain.com:x:8470000:andi@mycompanydomain.com
[sysadmin@xxx himmelblau]$

If you need the full himmelblaud debug log, please let me know. Thank you for looking into this issue.

andiariffin commented 1 month ago

I managed to solve the issue, actually it is due to sshd configuration. Changing the ChallengeResponseAuthentication value from no to yes in /etc/ssh/sshd_config.d/50-redhat.conf solved the issue.

dmulder commented 1 month ago

Ah, sorry. I should have noted this in the wiki perhaps. The default in openSUSE works, but the sshd config does need to be modified on some distros.