Authentication Issue
jogalt opened this issue · 7 comments
Followed the instructions in the Readme and still can't achieve a successful SSH session. I keep receiving 'invalid credentials'. The same account allows me to access the accounts page in the webgui with no issues. Has anything changed in the process over the last 7 months?
What Os is it, can you check SeLinux mode of operation ?
Status of my keycloak server:
[root@keycloak log]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
OS:
[root@keycloak log]# cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="8.10"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="8.10"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Oracle Linux Server 8.10"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:8:10:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://github.com/oracle/oracle-linux"
ORACLE_BUGZILLA_PRODUCT="Oracle Linux 8"
ORACLE_BUGZILLA_PRODUCT_VERSION=8.10
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=8.10
[root@keycloak log]#
Logs on keycloak server
2024-10-14 08:02:52,967 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=DOMAIN, clientId=ssh-login, userId=null, ipAddress=10.1.23.4, error=invalid_client_credentials, grant_type=password
Client config on keycloak server
Client details
OS:
root@tak-test:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Selinux is not installed
conf of config.toml file
realm = "DOMAIN"
endpoint = "https://my.domain.org:8443/auth"
clientid = "ssh-login"
clientsecret = "1bb9853a-a9b6-4e2b-ac43-4b5b95e56f06"
clientscope = "openid"
Client log
2024/10/14 12:03:01 Failed to retrieve token for username.adm - error: HTTP request failed with status code 401
Of note, I tested with a local DB user with the following curl statement and was able to get a proper response within keycloak.
curl -d "client_id=ssh2-login" -d "client_secret=fab88f4b-e4ca-4bfc-83c6-c4c73be90e93" -d "username=localtest" -d "password=password" -d "grant_type=password" "https://domain.org:8443/auth/realms/26AB/protocol/openid-connect/token"
{"access_token":"eyJhbGciOiJSUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOXzlNVmVpbzcwSW9GVjBRcE1DVjYtbTZnaUtFWGFkZ295LXpBcjJVSHVrIn0.eyJleHAiOjE3Mjg5NTY1NjAsImlhdCI6MTcyODk1NjI2MCwianRpIjoiZmU1NzBiMjItMjIxNS00OGNjLTgwZGUtYzFhNWJjMmVjZGNkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5hcHBzLjI2YWIub3JnOjg0NDMvYXV0aC9yZWFsbXMvMjZBQiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJmZDVhZjY2Ny1iYWJiLTQ4MzEtODVlMC00MjI4ZTgyYjA1M2IiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzc2gyLWxvZ2luIiwic2Vzc2lvbl9zdGF0ZSI6Ijc1NTI3MDNlLWQ5ZTctNDMyOS1hZjY5LTA2YzY4YWE4MDE4YSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtMjZhYiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6Ijc1NTI3MDNlLWQ5ZTctNDMyOS1hZjY5LTA2YzY4YWE4MDE4YSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoibG9jYWwgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6ImxvY2FsdGVzdCIsImdpdmVuX25hbWUiOiJsb2NhbCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYUBhLmEifQ.uI31PQ-yduhCQU1ig91DNF8HTrmcib8IILkc36E99snxK7RhlmGw-NQIzcNo-kiSQjl3A1mVp3Y4jn8b92WcvOpTo-ej1S-hK6-trNoHUNipMlIPlZqAO6F_eb-ZVyBWtsPvEPXxhuKjw2q1H5GKpGLXxgPmfGIQWBN5WXJr3qAC17KW__ZSGajOJuUd3szxWMz9gu0MriRGWbA_5jzWiWFASe9WSvBfR8aHFrzNn6sEzeI0dL7aJx9yNR1NhQgqat-Eg1AFH-ozr7ujptcc4gI5s8KT8fA20jBHlIj1Wv9BncezAUfRQFH90IDEZP7ZLfHEhNCk8CZd7a0QzY5iOg","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5NzJkYzM4NS1mYTQ5LTQ3YzMtOTQ1OS0yYzhlYTNjNzVjNzQifQ.eyJleHAiOjE3Mjg5NTgwNjAsImlhdCI6MTcyODk1NjI2MCwianRpIjoiYjQyMDJiOWUtMGYyOC00ZmYxLWJkMTItZGY1MGUyMTYxODA3IiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5hcHBzLjI2YWIub3JnOjg0NDMvYXV0aC9yZWFsbXMvMjZBQiIsImF1ZCI6Imh0dHBzOi8va2V5Y2xvYWsuYXBwcy4yNmFiLm9yZzo4NDQzL2F1dGgvcmVhbG1zLzI2QUIiLCJzdWIiOiJmZDVhZjY2Ny1iYWJiLTQ4MzEtODVlMC00MjI4ZTgyYjA1M2IiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic3NoMi1sb2dpbiIsInNlc3Npb25fc3RhdGUiOiI3NTUyNzAzZS1kOWU3LTQzMjktYWY2OS0wNmM2OGFhODAxOGEiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiI3NTUyNzAzZS1kOWU3LTQzMjktYWY2OS0wNmM2OGFhODAxOGEifQ.D6YFIXWtYdefbUpm97dxwc9ZqvxsZjvCeg8LH84UYBI","token_type":"Bearer","not-before-policy":0,"session_state":"7552703e-d9e7-4329-af69-06c68aa8018a","scope":"profile email"}
the same credentials and client in Ubuntu return the invalid credentials error.
Client ID seems different for the DB user. In any case can you check to the following.
- Location of
config.tomlon the client machine. - If its different then default location how are you specifying.
- Try the following on client machine.
cd /opt/kc-ssh-pam
export PAM_USER=<keycloak user>
echo <password of user > | ./kc-ssh-pam
# If 2FA is enabled then
echo <password/OTP> | ./kc-ssh-pamLet me know what is the output of above and also share the logs from /var/log/kc-ssh-pam.log
Here is an example of keycloak client config
I created a new client to test with in the event I had misconfigured something I couldn't find anymore
Location of config.toml
root@tak-test:/opt/kc-ssh-pam# ls -al
total 6476
drwxr-xr-x 2 root root 4096 Oct 15 02:04 .
drwxr-xr-x 5 root root 4096 Oct 13 14:59 ..
-rw-r--r-- 1 root root 322 Oct 15 02:04 config.toml
-rwxr-xr-x 1 root root 6615192 Mar 17 2024 kc-ssh-pam
Contents of config.toml
root@tak-test:/opt/kc-ssh-pam# cat config.toml
realm = "26AB"
endpoint = "https://domain.org:8443/auth"
clientid = "ssh2-login"
clientsecret = "fab88f4b-e4ca-4bfc-83c6-c4c73be90e93"
clientscope = "openid"
Attempt to manually use kc-ssh-pam with correct password
root@tak-test:/opt/kc-ssh-pam# cd /opt/kc-ssh-pam
root@tak-test:/opt/kc-ssh-pam# export PAM_USER=localtest
root@tak-test:/opt/kc-ssh-pam# echo password | ./kc-ssh-pam
2024/10/15 10:53:54 Failed to retrieve token for localtest - error: HTTP request failed with status code 500
Attempt to manually use kc-ssh-pam with incorrect password
root@tak-test:/opt/kc-ssh-pam# echo password2 | ./kc-ssh-pam
2024/10/15 10:54:08 Failed to retrieve token for localtest - error: HTTP request failed with status code 401
From the same linux machine, using curl I'm able to retrieve a token
root@tak-test:/opt/kc-ssh-pam# curl -d "client_id=ssh2-login" -d "client_secret=fab88f4b-e4ca-4bfc-83c6-c4c73be90e93" -d "username=username.adm" -d "password=P@SSWORD" -d "grant_type=password" "https://domain.org:8443/auth/realms/26AB/protocol/openid-connect/token" | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2412 100 2277 100 135 7590 450 --:--:-- --:--:-- --:--:-- 8040
{
"access_token": "eyJhbGciOiJSUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOXzlNVmVpbzcwSW9GVjBRcE1DVjYtbTZnaUtFWGFkZ295LXpBcjJVSHVrIn0.eyJleHAiOjE3Mjg5OTc1MjksImlhdCI6MTcyODk5MDMyOSwianRpIjoiZjk4MTY3OGEtNzFjYy00ZjZhLWIwOTctNGNkZDczZTEzMDlkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5hcHBzLjI2YWIub3JnOjg0NDMvYXV0aC9yZWFsbXMvMjZBQiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIwNmY5OWJlNy03OWM1LTRjNjYtYWYwMC04NmI2MzA2NGNiOTciLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzc2gyLWxvZ2luIiwic2Vzc2lvbl9zdGF0ZSI6IjQ4NjlmMzljLTEyMGMtNDc1Yy1hMTVhLTk2ZGFjZWFhNTFhZCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtMjZhYiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6IjQ4NjlmMzljLTEyMGMtNDc1Yy1hMTVhLTk2ZGFjZWFhNTFhZCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiU2FtdWVsIFdpbmVsYW5kIEFkbWluIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic3J3aW5lbGFuZC5hZG0iLCJnaXZlbl9uYW1lIjoiU2FtdWVsIiwiZmFtaWx5X25hbWUiOiJXaW5lbGFuZCBBZG1pbiJ9.Xl26Zr4_2JtM8cBtRW1LChden0aTRp9C4Di95JJ4ETYmkHio1Lr2btafOuwU7DJ2OQlkEmFc_VvX4O1MZrTFQk_5n9zbUT_cLBe91Mc7F0UxpylYC77-9ZKtpvJjGOYCy0P9JbRD89am30bo3Mf3EmZv08Q3DoPElE9eZSMFyJByJuSUow92jFXN-XlpraLDi25FUWc22GWXsh3PxiW1SI4tUqI3VLcMUqrQIabZeo6HbtWs0jNWObig8wYB94Fa_1RvuvUS41aqZYlc-H7wZwNsmFBoOOIYSyOdVAlHApiulzSpN0lV2vrSiVqe08D6tqMZmjq63JAkU1CRIwjbdQ",
"expires_in": 7200,
"refresh_expires_in": 1200,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5NzJkYzM4NS1mYTQ5LTQ3YzMtOTQ1OS0yYzhlYTNjNzVjNzQifQ.eyJleHAiOjE3Mjg5OTE1MjksImlhdCI6MTcyODk5MDMyOSwianRpIjoiMDBlOGQ4ZTUtYmRhNC00M2FkLTg2NmItZjdmMzFjNmRkM2IzIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5hcHBzLjI2YWIub3JnOjg0NDMvYXV0aC9yZWFsbXMvMjZBQiIsImF1ZCI6Imh0dHBzOi8va2V5Y2xvYWsuYXBwcy4yNmFiLm9yZzo4NDQzL2F1dGgvcmVhbG1zLzI2QUIiLCJzdWIiOiIwNmY5OWJlNy03OWM1LTRjNjYtYWYwMC04NmI2MzA2NGNiOTciLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic3NoMi1sb2dpbiIsInNlc3Npb25fc3RhdGUiOiI0ODY5ZjM5Yy0xMjBjLTQ3NWMtYTE1YS05NmRhY2VhYTUxYWQiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJzaWQiOiI0ODY5ZjM5Yy0xMjBjLTQ3NWMtYTE1YS05NmRhY2VhYTUxYWQifQ.sSj4JqhrmuvN_PmFxxeWR5DaANfssdQZntZJaF9ZDMU",
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": "4869f39c-120c-475c-a15a-96daceaa51ad",
"scope": "profile email"
}
What version of keycloak are you using ?
Keycloak: 15.0.2
Java: 17.0.12+7-LTS