• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

AD users SSH connection not working

Scheduled Pinned Locked Moved webGUI
6 Posts 3 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    vrugaitis
    last edited by Sep 8, 2017, 11:45 AM

    Hello,

    SSH is enabled, the AD users belong to the group pfSense and the group pfSense has following privileges.

    • WebCfg - All pages: Allow access to all pages

    • User - System: Shell account access: Indicates whether the user is able to login for example via SSH.

    • User - System: SSH tunneling Indicates whether the user is able to login for tunneling via SSH when they have no shell access. Note: User - System - Copy files conflicts with this privilege.

    If I try to access pfSense via SSH, I get the error message, that my password is wrong. The logs include following entries.

    Sep 8 12:00:43 	sshd 	24523 	Invalid user USERNAME from x.x.x.x
    Sep 8 12:00:43 	sshd 	24523 	input_userauth_request: invalid user USERNAME [preauth]
    Sep 8 12:00:43 	sshd 	24523 	Postponed keyboard-interactive for invalid user USERNAME from x.x.x.x port 49783 ssh2 [preauth]
    Sep 8 12:00:47 	sshd 	24523 	error: PAM: authentication error for illegal user USERNAME from x.x.x.x
    Sep 8 12:00:47 	sshd 	24523 	Failed keyboard-interactive/pam for invalid user USERNAME from x.x.x.x port 49783 ssh2 
    

    What is going wrong? Thank you in advance!

    Kind regards,
    vrugaitis

    1 Reply Last reply Reply Quote 0
    • G
      Gertjan
      last edited by Sep 8, 2017, 12:57 PM

      @vrugaitis:

      SSH is enabled, the AD users ….

      AD - what AD ?

      First things first :
      What pfSense version ? (ancient build-in (pfSEnse) openssl libraries wont work at all with recent SSH clients)
      What SSH client (saw to many people trying to use Putty installed 6 years ago -  that won't work neither)
      Use the login "admin" and the password that goes with it.

      Now that works ?

      Btw : If you want to say that AD = Active Directory, then I'm out of ideas.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • V
        vrugaitis
        last edited by Sep 8, 2017, 1:07 PM

        Hello,

        here are the answers to your questions.

        What pfSense version ?

        2.3.4-RELEASE-p1 (amd64)
        built on Fri Jul 14 14:52:43 CDT 2017
        FreeBSD 10.3-RELEASE-p19

        What SSH client

        macOS Sierra
        OpenSSH_7.4p1, LibreSSL 2.5.0

        Use the login "admin" and the password that goes with it.

        Now that works ?

        Login via root works without any problems.

        Btw : If you want to say that AD = Active Directory, then I'm out of ideas.

        Your prediction is correct. So basically, root connection via SSH is working, the AD users can't connect via SSH, although they have the right priviledge. But the AD user are able to login to the webGUI. So the authentication via the Active Directory Domain Controller seems to work properly.

        Do you have any other ideas?

        Kind regards,
        vrugaitis

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Sep 8, 2017, 2:22 PM

          There is no mechanism in place to allow RADIUS or LDAP users to connect to ssh at this time. The authentication works only for the GUI itself and other areas that use the same mechanisms to authenticate (e.g. VPNs)

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • V
            vrugaitis
            last edited by Sep 8, 2017, 3:15 PM

            Thank you for the fast reply! Is this functionality on the roadmap or does it have such a low priority, that it is unlikely to come?

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Sep 8, 2017, 3:17 PM

              It's not on anyone's radar or to-do list that I'm aware of.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received