Unable to authenticate with upstream after successful challenge
michael-skiles-tfs opened this issue · 8 comments
Hello again @tg123,
I've successfully setup the azdevicecode challenger and am able to forward users correctly to an upstream host after passing the challenge, but authentication immediately fails on the host and I am never prompted to enter a password. Here's what I see in the terminal:
ssh myusername@sshpiperhostname
myusername
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AAQBBTSQ2 to authenticate.
Authentication failed.
Checking the OpenSSH logs of the upstream host, I see the following:
maximum authentication attempts exceeded for myusername from 10.341.100.180 port 53426 ssh2 [preauth]
Disconnecting authenticating user myusername 10.341.100.180 port 53426: Too many authentication failures [preauth]
Is it possible that password auth does not work when a challenger plugin is enabled?
challenger is an extra to original auth process (using key interact in low layer) and it happens only before talking to upstream servers.
that said, azdevicecode does not change anything in password auth
are you sure you are using password?
you can use ssh -v to dump the detailed info
I have sshpiper running on two separate ports, one with the challenger enabled and one without. I can confirm successful login without the challenger.
Now I'm seeing the following in the sshpiperd logs after successfully entering the device token:
time="2022-05-12T18:39:57Z" level=debug msg="connection from 3.230.211.143:1580 establishing failed reason: graphrbac.SignedInUserClient#Get: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code=\"Unknown\" Message=\"Unknown service error\" Details=[{\"odata.error\":{\"code\":\"Authentication_ExpiredToken\",\"message\":{\"lang\":\"en\",\"value\":\"Your access token has expired. Please renew it before submitting the request.\"}}}]"
I am using https://graph.microsoft.com/ for SSHPIPERD_CHALLENGER_AZDEVICECODE_RESOURCE (since https://graph.windows.net/ is deprecated and not supported for new apps). Is there any specific configuration (such as redirect URLs) that sshpiper is expecting for the Azure AD app?
I finally got it working by setting SSHPIPERD_CHALLENGER_AZDEVICECODE_NOREADGRAPH=true, although I think this means I won't have any information about the AD user in the sshpiper logs. Can you tell me a little bit more about what this flag does?
Happy to know challenger works
likely your az ad app does not have permission to read user info.
the option i put there is because most of time we do not have to know the detail of logging user, for example, name or title.
the only thing required is to make sure him/her completed device login
I did some additional digging and figured it out. The Azure AD Graph is currently deprecated, and permissions cannot be added to new AD apps without a workaround. The Azure AD Graph has been replaced with the Microsoft AD Graph, which is not supported by the go-autorest package. Instead, we'd have to use ms-graph-sdk-go and/or azure-sdk-for-go/tree/main/sdk/azidentity.
Either way, it'd be great to log the username if SSHPIPERD_CHALLENGER_AZDEVICECODE_NOREADGRAPH=false so I can just open a PR to get that in.
PR are welcomed
I did not notice MS office of renaming touched aad as the plugin is running good
Amazing turnaround - works just as expected! Thank you @tg123!