AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:
CFG:
PT:0
S:andy.sharp@lsi.com
RQ:
SSV:mhbs.lsil.com
NSV:
SSH:
R:<Dave.Johnson@lsi.com>
MAID:2
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/LSI/INBOX	0	C5277CB418429641BC1498607A9F480593A4DF36@cosmail01.lsi.com
X-Sylpheed-End-Special-Headers: 1
Date: Wed, 26 Aug 2009 10:42:15 -0700
From: Andrew Sharp <andy.sharp@lsi.com>
To: "Johnson, Dave" <Dave.Johnson@lsi.com>
Subject: Re: ssh key authentication with AD accounts ?
Message-ID: <20090826104215.267cdf69@ripper.onstor.net>
In-Reply-To: <C5277CB418429641BC1498607A9F480593A4DF36@cosmail01.lsi.com>
References: <C5277CB418429641BC1498607A9F480593A4D5EE@cosmail01.lsi.com>
	<20090821113621.5eb9bb93@ripper.onstor.net>
	<C5277CB418429641BC1498607A9F480593A4D65A@cosmail01.lsi.com>
	<20090821162119.5158c811@ripper.onstor.net>
	<C5277CB418429641BC1498607A9F480593A4DF36@cosmail01.lsi.com>
Organization: LSI
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 26 Aug 2009 10:56:42 -0600 "Johnson, Dave"
<Dave.Johnson@lsi.com> wrote:


> > From: Andrew Sharp [mailto:andy.sharp@lsi.com]
> > Sent: Friday, August 21, 2009 4:21 PM
> >
> > On Fri, 21 Aug 2009 13:16:20 -0600 "Johnson, Dave"
> > <Dave.Johnson@lsi.com> wrote:
> >
> > > Trying to use a windows AD account with ssh key authentication in
> > > order to execute remote commands on a filer for automation.
> >
> > A windows AD account for which part?  Do you mean instead of
> > creating a user account on the gateway?
> 
> Yup.

That won't work.  The various keys for the account have to reside in
the user's home directory.  Where would that be for an AD account?  It
has to be a local-only directory.

> > > A customer has a local account configured on the filers to do this
> > > and it intermittently fails the key auth, which falls back to
> > > interactive password, which of course fails and times out since
> > > it's an automated script.
> >
> > Why does it fail the key auth?  That should never happen.
> 
> Never say never !

If it ever fails, then there's something broken that needs a-fixin'.
Do that and the problem is solved.  Is there anything repeatable about
the failures?  Like, does a particular client always fail, or a
particular user or something?

> > > Sandrine said to try Windows or NIS account but I don't see how we
> > > can create an ssh key for a remote user.
> >
> > What's the difference between a Windows account and an AD account?
> 
> No difference.

And even if it would work, it doesn't solve the problem that for some
reason key verification fails sometimes.

> > > http://wiki.onstor.net/wiki/Set_up_passwordless_SSH
> >
> > Man, there's a wiki for everything.  Curious use of ssh-agent,
> > however.  I wouldn't bother with that step as it isn't needed really
> > and might be the source of the intermittent issues.
> 
> Well, if they weren't able to start their agent, then I don't think
> it would work at all.   The interesting thing is that running sshd in
> debug mode on the filer and trying the commands, you can see in the
> log output below that it fails and standard err output of our shell
> spits out line 125 with "Invalid user quota from 128.8.120.151".  Can
> you gleam anything from the lines that precede that error in the log
> below ? (fyi, yes the customer configured the local user account name
> as "quota" :)
> 
> -=dave
> 
> 00000001 onstor-ha01-b# /onstor/bin/sshd -d -d -d
> 00000002 debug2: load_server_config: filename /etc/ssh/sshd_config
> 00000003 debug2: load_server_config: done config len = 132
> 00000004 debug2: parse_server_config: config /etc/ssh/sshd_config len
> 132 00000005 debug1: sshd version OpenSSH_4.2p1
> 00000006 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
> 00000007 debug1: read PEM private key done: type RSA
> 00000008 debug1: private host key: #0 type 1 RSA
> 00000009 debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
> 00000010 debug1: read PEM private key done: type DSA
> 00000011 debug1: private host key: #1 type 2 DSA
> 00000012 debug1: rexec_argv[0]='/onstor/bin/sshd'
> 00000013 debug1: rexec_argv[1]='-d'
> 00000014 debug1: rexec_argv[2]='-d'
> 00000015 debug1: rexec_argv[3]='-d'
> 00000016 debug2: fd 5 setting O_NONBLOCK
> 00000017 debug1: Bind to port 22 on 0.0.0.0.
> 00000018 Server listening on 0.0.0.0 port 22.
> 00000019 debug3: fd 6 is not O_NONBLOCK
> 00000020 debug1: Server will not fork when running in debugging mode.
> 00000021 debug3: send_rexec_state: entering fd = 9 config len 132
> 00000022 debug3: ssh_msg_send: type 0
> 00000023 debug3: send_rexec_state: done
> 00000024 debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
> 00000025 debug1: inetd sockets after dupping: 5, 5 Connection from
> 128.8.120.151 port 55878 00000026 debug1: Client protocol version
> 2.0; client software version OpenSSH_4.3 00000027 debug1: match:
> OpenSSH_4.3 pat OpenSSH* 00000028 debug1: Enabling compatibility mode
> for protocol 2.0 00000029 debug1: Local version string
> SSH-2.0-OpenSSH_4.2 00000030 debug2: fd 5 setting O_NONBLOCK
> 00000031 debug2: Network child is on pid 11447
> 00000032 debug3: privsep user:group 27:27
> 00000033 debug3: preauth child monitor started
> 00000034 debug1: permanently_set_uid: 27/27
> 00000035 debug3: mm_request_receive entering
> 00000036 debug1: list_hostkey_types: ssh-rsa,ssh-dss
> 00000037 debug1: SSH2_MSG_KEXINIT sent
> 00000038 debug1: SSH2_MSG_KEXINIT received
> 00000039 debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie- 00000040
> hellman-group14-sha1,diffie-hellman-group1-sha1 00000041 debug2:
> kex_parse_kexinit: ssh-rsa,ssh-dss 00000042 debug2:
> kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- 00000043
> cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
> 00000044 ,aes128-ctr,aes192-ctr,aes256-ctr 00000045 debug2:
> kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- 00000046
> cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
> 00000047 ,aes128-ctr,aes192-ctr,aes256-ctr 00000048 debug2:
> kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
> 00000049 ,hmac-sha1-96,hmac-md5-96 00000050 debug2:
> kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
> 00000051 ,hmac-sha1-96,hmac-md5-96 00000052 debug2:
> kex_parse_kexinit: none,zlib@openssh.com 00000053 debug2:
> kex_parse_kexinit: none,zlib@openssh.com 00000054 debug2:
> kex_parse_kexinit: 00000055 debug2: kex_parse_kexinit: 00000056
> debug2: kex_parse_kexinit: first_kex_follows 0 00000057 debug2:
> kex_parse_kexinit: reserved 0 00000058 debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie- 00000059
> hellman-group14-sha1,diffie-hellman-group1-sha1 00000060 debug2:
> kex_parse_kexinit: ssh-rsa,ssh-dss 00000061 debug2:
> kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- 00000062
> cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
> 00000063 ,aes128-ctr,aes192-ctr,aes256-ctr 00000064 debug2:
> kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- 00000065
> cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
> 00000066 ,aes128-ctr,aes192-ctr,aes256-ctr 00000067 debug2:
> kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
> 00000068 ,hmac-sha1-96,hmac-md5-96 00000069 debug2:
> kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com
> 00000070 ,hmac-sha1-96,hmac-md5-96 00000071 debug2:
> kex_parse_kexinit: none,zlib@openssh.com,zlib 00000072 debug2:
> kex_parse_kexinit: none,zlib@openssh.com,zlib 00000073 debug2:
> kex_parse_kexinit: 00000074 debug2: kex_parse_kexinit: 00000075
> debug2: kex_parse_kexinit: first_kex_follows 0 00000076 debug2:
> kex_parse_kexinit: reserved 0 00000077 debug2: mac_init: found
> hmac-md5 00000078 debug1: kex: client->server aes128-cbc hmac-md5
> none 00000079 debug2: mac_init: found hmac-md5 00000080 debug1: kex:
> server->client aes128-cbc hmac-md5 none 00000081 debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST received 00000082 debug3: mm_request_send
> entering: type 0 00000083 debug3: monitor_read: checking request 0
> 00000084 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
> 00000085 debug3: mm_answer_moduli: got parameters: 1024 1024 8192
> 00000086 debug3: mm_request_receive_expect entering: type 1 00000087
> debug3: mm_request_receive entering 00000088 debug3: mm_request_send
> entering: type 1 00000089 debug3: mm_choose_dh: remaining 0
> 00000090 debug2: monitor_read: 0 used once, disabling now
> 00000091 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> 00000092 debug3: mm_request_receive entering
> 00000093 debug2: dh_gen_key: priv key bits set: 131/256
> 00000094 debug2: bits set: 508/1024
> 00000095 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> 00000096 debug2: bits set: 503/1024
> 00000097 debug3: mm_key_sign entering
> 00000098 debug3: mm_request_send entering: type 4
> 00000099 debug3: monitor_read: checking request 4
> 00000100 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
> 00000101 debug3: mm_answer_sign
> 00000102 debug3: mm_request_receive_expect entering: type 5
> 00000103 debug3: mm_request_receive entering
> 00000104 debug3: mm_answer_sign: signature 0x10200200(271)
> 00000105 debug3: mm_request_send entering: type 5
> 00000106 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> 00000107 debug2: kex_derive_keys
> 00000108 debug2: set_newkeys: mode 1
> 00000109 debug1: SSH2_MSG_NEWKEYS sent
> 00000110 debug1: expecting SSH2_MSG_NEWKEYS
> 00000111 debug2: monitor_read: 4 used once, disabling now
> 00000112 debug3: mm_request_receive entering
> 00000113 debug2: set_newkeys: mode 0
> 00000114 debug1: SSH2_MSG_NEWKEYS received
> 00000115 debug1: KEX done
> 00000116 debug1: userauth-request for user quota service
> ssh-connection method none 00000117 debug1: attempt 0 failures 0
> 00000118 debug3: mm_getpwnamallow entering
> 00000119 debug3: mm_request_send entering: type 6
> 00000120 debug3: monitor_read: checking request 6
> 00000121 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
> 00000122 debug3: mm_request_receive_expect entering: type 7
> 00000123 debug3: mm_request_receive entering
> 00000124 debug3: mm_answer_pwnamallow
> 00000125 Invalid user quota from 128.8.120.151
> 00000126 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> 00000127 debug3: mm_request_send entering: type 7
> 00000128 debug1: unknown user, become admin
> 00000129 debug3: mm_request_send entering: type 60
> 00000130 debug3: mm_getnfxinfo: wating for MONITOR_ANS_GETNFXINFO
> 00000131 debug3: mm_request_receive_expect entering: type 61
> 00000132 debug3: mm_request_receive entering
> 00000133 debug2: monitor_read: 6 used once, disabling now
> 00000134 debug3: mm_request_receive entering
> 00000135 debug3: monitor_read: checking request 60
> 00000136 debug1: mm_get_authctxt: authctxt = 101f9580
> 00000137 debug1: cluster_daemon_in_service: cluster daemon not started
> 00000138
> 00000139 debug1: cluster_daemon_in_service: rc = -1, func = 0x5059ff38
> 00000140
> 00000141 debug3: mm_request_send entering: type 61
> 00000142 debug2: input_userauth_request: setting up authctxt for quota
> 00000143 debug3: mm_request_receive entering
> 00000144 debug3: mm_inform_authserv entering
> 00000145 debug3: mm_request_send entering: type 3
> 00000146 debug3: monitor_read: checking request 3
> 00000147 debug2: input_userauth_request: try method none
> 00000148 debug3: mm_answer_authserv: service=ssh-connection, style=
> 00000149 debug3: mm_auth_password entering
> 00000150 debug2: monitor_read: 3 used once, disabling now
> 00000151 debug3: mm_request_send entering: type 10
> 00000152 debug3: mm_request_receive entering
> 00000153 debug3: mm_auth_password: waiting for
> MONITOR_ANS_AUTHPASSWORD 00000154 debug3: monitor_read: checking
> request 10 00000155 debug3: mm_request_receive_expect entering: type
> 11 00000156 debug3: mm_answer_authpassword: sending result 0
> 00000157 debug3: mm_request_receive entering
> 00000158 debug3: mm_request_send entering: type 11
> 00000159 debug3: mm_answer_authpassword: sending status 0
> 00000160 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHSTATUS
> 00000161 debug3: mm_request_send entering: type 12
> 00000162 debug3: mm_request_receive_expect entering: type 12 Failed
> none for quota from 128.8.120.151 port 55878 ssh2 00000163 debug3:
> mm_request_receive entering 00000164 debug3: mm_request_receive
> entering 00000165 debug3: mm_auth_password: status 0
> 00000166 debug3: mm_auth_password: user not authenticated Failed none
> for quota from 128.8.120.151 port 55878 ssh2 00000167 debug1:
> userauth-request for user quota service ssh-connection method
> publickey 00000168 debug1: attempt 1 failures 1 00000169 debug2:
> input_userauth_request: try method publickey 00000170 debug3:
> userauth_pubkey: have_sig = 0, usr_opt = 0x0 00000171 debug1: test
> whether pkalg/pkblob are acceptable 00000172 debug3: mm_key_allowed
> entering 00000173 debug3: mm_request_send entering: type 21
> 00000174 debug3: monitor_read: checking request 21
> 00000175 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
> 00000176 debug3: mm_answer_keyallowed entering
> 00000177 debug3: mm_request_receive_expect entering: type 22
> 00000178 debug3: mm_answer_keyallowed: key_from_blob: 0x101fca10
> 00000179 debug3: mm_request_receive entering
> 00000180 debug1: mm_get_authctxt: authctxt = 101f9580
> 00000181 debug1: user_key_allowed: authctxt not valid
> 00000182 debug1: temporarily_use_uid: 1003/10004 (e=0/0)
> 00000183 debug1: trying public key
> file /onstor/root/.ssh/authorized_keys 00000184 debug1: restore_uid:
> 0/0 00000185 debug1: temporarily_use_uid: 1003/10004 (e=0/0)
> 00000186 debug1: trying public key
> file /onstor/root/.ssh/authorized_keys2 00000187 debug1: restore_uid:
> 0/0 00000188 debug3: mm_answer_keyallowed: key 0x101fca10 is
> disallowed 00000189 debug3: mm_request_send entering: type 22
> 00000190 debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
> 00000191 debug3: mm_request_receive entering
> 00000192 Failed publickey for quota from 128.8.120.151 port 55878
> ssh2 Connection closed by 128.8.120.151
> 
> 
> >
> > > Any ideas ?
> > >
> > > -=dave
> > >
> > > -----Original Message-----
> > > From: Andrew Sharp [mailto:andy.sharp@lsi.com]
> > > Sent: Friday, August 21, 2009 11:36 AM
> > > To: Johnson, Dave
> > > Subject: Re: ssh key authentication with AD accounts ?
> > >
> > > Which keys are you referring to?  Better yet, what is it that you
> > > are trying to achieve?
> > >
> > > On Fri, 21 Aug 2009 11:53:46 -0600 "Johnson, Dave"
> > > <Dave.Johnson@lsi.com> wrote:
> > >
> > > > Sandrine gave me the info below on configuring ssh for AD and
> > > > NIS accounts but how do you configure the keys for the user ?
> > > >
> > > > Thanks !
> > > >
> > > > -=dave
> > > >
> > > > -----Original Message-----
> > > > From: Boulanger, Sandrine
> > > > Sent: Thursday, August 13, 2009 10:27 AM
> > > > To: Johnson, Dave
> > > > Subject: ssh as a domain user
> > > >
> > > > [sandrineb@sandrineb ~]$ ssh 10.2.10.7 -l MATRIX\\enguser
> > > > MATRIX\enguser@10.2.10.7's password: Last login: Mon Aug  3
> > > > 15:18:52 2009 from 10.0.0.99
> > > >
> > > > Welcome to the ONStor NAS Gateway.
> > > >
> > > > g7r10> exit
> > > > Connection to 10.2.10.7 closed.
> > > > [sandrineb@sandrineb ~]$ ssh 10.2.10.7 -l enguser@onstorlab
> > > > enguser@onstorlab@10.2.10.7's password: Last login: Thu Aug 13
> > > > 10:24:58 2009 from 10.0.0.99
> > > >
> > > > Welcome to the ONStor NAS Gateway.
> > > >
> > > > g7r10>
> > > >
> > > >
