Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any credential with SSO and public key credentials available for user asks for password in specific circumstances for SSH #972

Open
SheaSmith opened this issue Mar 25, 2024 · 5 comments
Open

Any credential with SSO and public key credentials available for user asks for password in specific circumstances for SSH #972

SheaSmith opened this issue Mar 25, 2024 · 5 comments

Comments

@SheaSmith
Copy link
Contributor

If you have the following conditions:

  1. A user with an SSH public key and SSO configured.
  2. SSH is set to use 'Any credential'
  3. You attempt to login to SSH without the specified public key being installed (and therefore would expect to be prompted for a keyboard interactive login)

Then you will be actually asked for a password, rather than the keyboard interactive flow:
image

Warpgate config for the user:
image

Happy to provide any relevant logs or config if that helps.
@theMackabu theMackabu mentioned this issue May 1, 2024
Open
@theMackabu
Copy link

#946 (comment) comment moved here

@Eugeny Eugeny closed this as completed in daacd55 Jul 25, 2024
@Eugeny
Copy link
Member

Eugeny commented Jul 25, 2024

I haven't been able to reproduce this but I suspect that your client might have a different preferred auth method order than mine. Anyway, the fix makes sure that password auth won't be offered when the user has no password.

@SheaSmith
Copy link
Contributor Author

Thanks - I'm not seeing the issue with the password any more with the latest update. However, it doesn't seem like I'm prompted with keyboard interactive when I deny public key access (I'm using the 1Password SSH agent, which allows for public key access to be denied) with this config:
image

Here's the logs for sftp -v when connecting:

sftp -v -P 2222 -o User=shea:<site name> <host>
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to <host> [192.168.1.201] port 2222.
debug1: Connection established.
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519_sk type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519_sk-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.6
debug1: Remote protocol version 2.0, remote software version russh_0.44.0
debug1: compat_banner: no match: russh_0.44.0
debug1: Authenticating to <host>:2222 as 'shea:<site name>'
debug1: load_hostkeys: fopen C:\\Users\\SheaSmith/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:xVWOC/rHefNW0i0G9IurVCPc+REGuAcoDmQtyMULzbE
debug1: load_hostkeys: fopen C:\\Users\\SheaSmith/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[<host>]:2222' is known and matches the ED25519 host key.
debug1: Found key in C:\\Users\\SheaSmith/.ssh/known_hosts:17
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
debug1: Will attempt key: <another key> Access ED25519 SHA256:rTqMg0ntdf7sd0jUBty2dEwLT/ILeZjCLNByMi9+qO4 agent
debug1: Will attempt key: <yet another key> ED25519 SHA256:bVkq0AbK8MRrV1kTDM/SwtPp4ed1Y5t3FR4UtCme9bM agent
debug1: Will attempt key: <fourth key> key ED25519 SHA256:S9GgTPUpwbHHNTFARPtY7eSkKzYG5GU57kfpB7LTM/A agent
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ed25519_sk
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
debug1: Server accepts key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
sign_and_send_pubkey: signing failed for ED25519 "Test Key" from agent: agent refused operation
debug1: Offering public key: <another key> Access ED25519 SHA256:rTqMg0ntdf7sd0jUBty2dEwLT/ILeZjCLNByMi9+qO4 agent
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: <yet another key> ED25519 SHA256:bVkq0AbK8MRrV1kTDM/SwtPp4ed1Y5t3FR4UtCme9bM agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: <fourth key> key ED25519 SHA256:S9GgTPUpwbHHNTFARPtY7eSkKzYG5GU57kfpB7LTM/A agent
debug1: Authentications that can continue: publickey
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ed25519_sk
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_xmss
debug1: No more authentication methods to try.
shea:<site name>@<host>: Permission denied (publickey).

When I change it so that both SSO and public key are required in the config, e.g.:
image

I am prompted for the keyboard interactive login after denying the public key access, but it hangs after asking for approval (which I imagine is somewhat expected, since I would've thought that configuration requires both public key and keyboard interactive to login):

sftp -v -P 2222 -o User=shea:<site name> <host>
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to <host> [192.168.1.201] port 2222.
debug1: Connection established.
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519_sk type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_ed25519_sk-cert type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\SheaSmith/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.6
debug1: Remote protocol version 2.0, remote software version russh_0.44.0
debug1: compat_banner: no match: russh_0.44.0
debug1: Authenticating to <host>:2222 as 'shea:<site name>'
debug1: load_hostkeys: fopen C:\\Users\\SheaSmith/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:xVWOC/rHefNW0i0G9IurVCPc+REGuAcoDmQtyMULzbE
debug1: load_hostkeys: fopen C:\\Users\\SheaSmith/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[<host>]:2222' is known and matches the ED25519 host key.
debug1: Found key in C:\\Users\\SheaSmith/.ssh/known_hosts:17
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
debug1: Will attempt key: <another key> ED25519 SHA256:rTqMg0ntdf7sd0jUBty2dEwLT/ILeZjCLNByMi9+qO4 agent
debug1: Will attempt key: <yet another key> ED25519 SHA256:bVkq0AbK8MRrV1kTDM/SwtPp4ed1Y5t3FR4UtCme9bM agent
debug1: Will attempt key: <fourth key> ED25519 SHA256:S9GgTPUpwbHHNTFARPtY7eSkKzYG5GU57kfpB7LTM/A agent
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_ed25519_sk
debug1: Will attempt key: C:\\Users\\SheaSmith/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
debug1: Server accepts key: Test Key ED25519 SHA256:dEqsKHcXY8v3cQ7Xp8uUg2P20TktUfdQES3m2iJORLI agent
sign_and_send_pubkey: signing failed for ED25519 "Test Key" from agent: agent refused operation
debug1: Offering public key: <another key> ED25519 SHA256:rTqMg0ntdf7sd0jUBty2dEwLT/ILeZjCLNByMi9+qO4 agent
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: <yet another key> ED25519 SHA256:bVkq0AbK8MRrV1kTDM/SwtPp4ed1Y5t3FR4UtCme9bM agent
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: <fourth key> ED25519 SHA256:S9GgTPUpwbHHNTFARPtY7eSkKzYG5GU57kfpB7LTM/A agent
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ecdsa_sk
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_ed25519_sk
debug1: Trying private key: C:\\Users\\SheaSmith/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
Warpgate authentication
-----------------------------------------------------------------------
Warpgate authentication: please open the following URL in your browser:
https://<host>/@warpgate#/login/b0bc6009-6e90-49cf-a7b8-f58c41b40c6e

Make sure you're seeing this security key: 1 E 8 B
-----------------------------------------------------------------------

(shea:<site name>@<host>) Press Enter when done:

@Eugeny Eugeny reopened this Jul 28, 2024
@theMackabu
Copy link

@SheaSmith same issue, able to reproduce

1 similar comment
@amapi
Copy link

amapi commented Sep 10, 2024

@SheaSmith same issue, able to reproduce

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Eugeny @theMackabu @amapi @SheaSmith