kenelmulric_d Absent Member.
Absent Member.
1340 views

SSH access requires password even if its on Credential Vault

Hi All,

Im having a problem when a user access SSH (Portal or via PuTTy using Port 2222) Some servers asks for a credential while some doesnt. All password are on the Credential Vault. And its regardless of OS. ie (2 Solaris 10 server; 1 requires a password, the other 1 doesnt) The rule looks like this:



Anyone experienced this issue?

Things to note:
pamprime is a created user on each Non-Windows Server that are on the Non-Windows Server Host Group
pamprime credentials are inputted in the Credential Vault
Account Domain and Credential is Blank
Run User: pamprime (local account)
Run Host: Non-Windows Server (Non-Windows Server Host Group)
0 Likes
10 Replies
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: SSH access requires password even if its on Credential Vault

On 06.08.18 08:24, kenelmulric d wrote:
>
> Hi All,
>
> Im having a problem when a user access SSH (Portal or via PuTTy using
> Port 2222) Some servers asks for a credential while some doesnt. All
> password are on the Credential Vault. And its regardless of OS. ie (2
> Solaris 10 server; 1 requires a password, the other 1 doesnt) The rule
> looks like this:
>
> [image: https://i.imgur.com/a9tNkc5.png]
>
> Anyone experienced this issue?
>
> Things to note:
> pamprime is a created user on each Non-Windows Server that are on the
> Non-Windows Server Host Group
> pamprime credentials are inputted in the Credential Vault
> Account Domain and Credential is Blank
> Run User: pamprime (local account)
> Run Host: Non-Windows Server (Non-Windows Server Host Group)
>
>


Have a look at the client log:

Add "<ClientLog level="info" file=“logs/client.log" max_size="10"/>" to
your unifi.xml:

<Unifi db_sync="1" service_name="npum">
<Log level="info" file="logs/unifid.log" max_size="10"/>
<ClientLog level="debug" file="logs/client.log" max_size="10"/>
.....


The client log will show the connection from the ssh-relay to the the
dentination server, and could probably help you.

Have you tried with:

Credentials: "Run User@Run Host"
<<<< that will point back to the credential vault

Run User: "root"
Run Host: Your Host Group



Casper

0 Likes
kenelmulric_d Absent Member.
Absent Member.

Re: SSH access requires password even if its on Credential V

cpedersen;2485232 wrote:
On 06.08.18 08:24, kenelmulric d wrote:
>
> Hi All,
>
> Im having a problem when a user access SSH (Portal or via PuTTy using
> Port 2222) Some servers asks for a credential while some doesnt. All
> password are on the Credential Vault. And its regardless of OS. ie (2
> Solaris 10 server; 1 requires a password, the other 1 doesnt) The rule
> looks like this:
>
> [image: https://i.imgur.com/a9tNkc5.png]
>
> Anyone experienced this issue?
>
> Things to note:
> pamprime is a created user on each Non-Windows Server that are on the
> Non-Windows Server Host Group
> pamprime credentials are inputted in the Credential Vault
> Account Domain and Credential is Blank
> Run User: pamprime (local account)
> Run Host: Non-Windows Server (Non-Windows Server Host Group)
>
>


Have a look at the client log:

Add "<ClientLog level="info" file=“logs/client.log" max_size="10"/>" to
your unifi.xml:

<Unifi db_sync="1" service_name="npum">
<Log level="info" file="logs/unifid.log" max_size="10"/>
<ClientLog level="debug" file="logs/client.log" max_size="10"/>
.....


The client log will show the connection from the ssh-relay to the the
dentination server, and could probably help you.

Have you tried with:

Credentials: "Run User@Run Host"
<<<< that will point back to the credential vault

Run User: "root"
Run Host: Your Host Group



Casper


I believe this is what you are saying?


Still the same.


Is that the same as changing the Log Level to Info on the PAM Console?
0 Likes
kenelmulric_d Absent Member.
Absent Member.

Re: SSH access requires password even if its on Credential V

Anyone can help me with this?

Having problems with this still 😕
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSH access requires password even if its on Credential V

I was only able to duplicate your issue if I had the Credential blank where "Run User@Run Host" was not set. It appears you have that set and it isn't working. I have only seen this if the credential that PAM has is incorrect (i.e. wrong password in vault for that ssh account domain). In this case, I'd recommend deleting the 'pamprime' credential from the ssh account domains where the password prompt appears and then recreating the credential new. May need to set the "Credential" back if necessary in the SSH Account Domain settings afterwards as well.

If that doesn't work either, are you using password or private key for the 'pamprime' credential?

As Casper mentioned, the client log will help provide more details. I'd check the following places:
- client.log (sshrelay -> target server): see TID 7021106 - How to enable the Client Log
- target server's /var/log/messages or /var/log/syslog (it may show attempts at login and have some reason for failure explained there as well)
0 Likes
kenelmulric_d Absent Member.
Absent Member.

Re: SSH access requires password even if its on Credential V

tdharris;2486184 wrote:
I was only able to duplicate your issue if I had the Credential blank where "Run User@Run Host" was not set. It appears you have that set and it isn't working. I have only seen this if the credential that PAM has is incorrect (i.e. wrong password in vault for that ssh account domain). In this case, I'd recommend deleting the 'pamprime' credential from the ssh account domains where the password prompt appears and then recreating the credential new. May need to set the "Credential" back if necessary in the SSH Account Domain settings afterwards as well.

If that doesn't work either, are you using password or private key for the 'pamprime' credential?

As Casper mentioned, the client log will help provide more details. I'd check the following places:
- client.log (sshrelay -> target server): see TID 7021106 - How to enable the Client Log
- target server's /var/log/messages or /var/log/syslog (it may show attempts at login and have some reason for failure explained there as well)



Hi Tyler,

Yes, the credential is set to Run User@Run Host. And i have corrected the password for the credential on the credential vault. I also removed the credential and created it again. I've also removed the account domain, look up the ssh host key, and retyped the password. Im sure that my password is correct as i have logged in to the server using that same credential w/o PAM.

Im using a password for the pamprime credential.

As per the logs, Im not seeing anything that pertains to any error. The same on the var log as well, i've tailed the log messages and see if it will generate any but there is none.

Not really sure what im facing here.

Thanks for you response!
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSH access requires password even if its on Credential V

Strange, try the client.log as well to see the sshrelay details from pam server => target server: https://www.novell.com/support/kb/doc.php?id=7021106
0 Likes
kenelmulric_d Absent Member.
Absent Member.

Re: SSH access requires password even if its on Credential V

tdharris;2486252 wrote:
Strange, try the client.log as well to see the sshrelay details from pam server => target server: https://www.novell.com/support/kb/doc.php?id=7021106


Where will i put the ClientLog level? On the XML on the PAM Manager? Or on the agent?
And is this correct?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSH access requires password even if its on Credential V

No that's not correct, it needs to be nested underneath <Unifi> not within <Log> as you have it there. So go ahead and place it up on the 2nd line above <Worker> but underneath <Unifi> and that will do the trick. I've updated the TID with this detail and provided an example in the Additional Information section.
0 Likes
kenelmulric_d Absent Member.
Absent Member.

Re: SSH access requires password even if its on Credential V

I was able to have the client log working, however iv'e tried to replicate the issue but looking at the logs, its not telling me anything.

I have tried to correct the password (on the credential vault) to see how the log will look like, the next run i have misspelled the password (on the credential vault) to see how it look like but both says the same thing.

Im expecting that since the other try has an incorrect password it still says the same thing here:


This is the only thing that preventing us to go-live. Need all the help i can get. Thanks!
0 Likes
kenelmulric_d Absent Member.
Absent Member.

Re: SSH access requires password even if its on Credential V

kenelmulric_d;2487810 wrote:
I was able to have the client log working, however iv'e tried to replicate the issue but looking at the logs, its not telling me anything.

I have tried to correct the password (on the credential vault) to see how the log will look like, the next run i have misspelled the password (on the credential vault) to see how it look like but both says the same thing.

Im expecting that since the other try has an incorrect password it still says the same thing here:


This is the only thing that preventing us to go-live. Need all the help i can get. Thanks!


Sorry was not able to provide the screenshot here:
https://imgur.com/a/s4Ag4J4
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.