AD users SSH connection not working

vrugaitis · Sep 8, 2017, 11:45 AM

Hello,

SSH is enabled, the AD users belong to the group pfSense and the group pfSense has following privileges.

WebCfg - All pages: Allow access to all pages
User - System: Shell account access: Indicates whether the user is able to login for example via SSH.
User - System: SSH tunneling Indicates whether the user is able to login for tunneling via SSH when they have no shell access. Note: User - System - Copy files conflicts with this privilege.

If I try to access pfSense via SSH, I get the error message, that my password is wrong. The logs include following entries.

Sep 8 12:00:43 	sshd 	24523 	Invalid user USERNAME from x.x.x.x
Sep 8 12:00:43 	sshd 	24523 	input_userauth_request: invalid user USERNAME [preauth]
Sep 8 12:00:43 	sshd 	24523 	Postponed keyboard-interactive for invalid user USERNAME from x.x.x.x port 49783 ssh2 [preauth]
Sep 8 12:00:47 	sshd 	24523 	error: PAM: authentication error for illegal user USERNAME from x.x.x.x
Sep 8 12:00:47 	sshd 	24523 	Failed keyboard-interactive/pam for invalid user USERNAME from x.x.x.x port 49783 ssh2

What is going wrong? Thank you in advance!

Kind regards,
vrugaitis

Gertjan · Sep 8, 2017, 12:57 PM

@vrugaitis:

SSH is enabled, the AD users ….

AD - what AD ?

First things first :
What pfSense version ? (ancient build-in (pfSEnse) openssl libraries wont work at all with recent SSH clients)
What SSH client (saw to many people trying to use Putty installed 6 years ago - that won't work neither)
Use the login "admin" and the password that goes with it.

Now that works ?

Btw : If you want to say that AD = Active Directory, then I'm out of ideas.

vrugaitis · Sep 8, 2017, 1:07 PM

Hello,

here are the answers to your questions.

What pfSense version ?

2.3.4-RELEASE-p1 (amd64)
built on Fri Jul 14 14:52:43 CDT 2017
FreeBSD 10.3-RELEASE-p19

What SSH client

macOS Sierra
OpenSSH_7.4p1, LibreSSL 2.5.0

Use the login "admin" and the password that goes with it.

Now that works ?

Login via root works without any problems.

Btw : If you want to say that AD = Active Directory, then I'm out of ideas.

Your prediction is correct. So basically, root connection via SSH is working, the AD users can't connect via SSH, although they have the right priviledge. But the AD user are able to login to the webGUI. So the authentication via the Active Directory Domain Controller seems to work properly.

Do you have any other ideas?

Kind regards,
vrugaitis

jimp · Sep 8, 2017, 2:22 PM

There is no mechanism in place to allow RADIUS or LDAP users to connect to ssh at this time. The authentication works only for the GUI itself and other areas that use the same mechanisms to authenticate (e.g. VPNs)

vrugaitis · Sep 8, 2017, 3:15 PM

Thank you for the fast reply! Is this functionality on the roadmap or does it have such a low priority, that it is unlikely to come?

jimp · Sep 8, 2017, 3:17 PM

It's not on anyone's radar or to-do list that I'm aware of.