Vault ssh cannot connect to remote sucessfully

when I testing vault ssh-otp following the topic ssh-otp,I cannot connect to remote server sucessfully,errors:
output in local

# ssh test@172.17.0.2
Password:
Password:
Authentication failed.

log at remote

# vault-ssh-helper -verify-only -dev -config /etc/vault-ssh-helper.d/config.hcl
2021/09/30 13:55:21 ==> WARNING: Dev mode is enabled!
2021/09/30 13:55:21 [INFO] using SSH mount point: ssh
2021/09/30 13:55:21 [INFO] using namespace:
2021/09/30 13:55:21 [INFO] vault-ssh-helper verification successful!
*** Thu Sep 30 13:55:33 2021
2021/09/30 13:55:34 ==> WARNING: Dev mode is enabled!
2021/09/30 13:55:34 [INFO] using SSH mount point: ssh
2021/09/30 13:55:34 [INFO] using namespace:
2021/09/30 13:55:34 [INFO] test@172.17.0.2 authenticated!

I don’t know what’s wrong with it.
here is my configure:

# vault read ssh/roles/otp_key_role
Key                  Value
---                  -----
allowed_users        n/a
cidr_list            0.0.0.0/0
default_user         test
exclude_cidr_list    n/a
key_type             otp
port                 22

# vault policy read test
# To list SSH secrets paths
path "ssh/*" {
  capabilities = [ "list" ]
}
# To use the configured SSH secrets engine otp_key_role role
path "ssh/creds/otp_key_role" {
  capabilities = ["create", "read", "update"]
}

# vault read auth/userpass/users/test
Key                        Value
---                        -----
policies                   [test]
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [test]
token_ttl                  0s
token_type                 default

ssh-heper remote, I didn't use tls
# cat /etc/vault-ssh-helper.d/config.hcl
vault_addr = "http://172.16.142.7:8200/"
tls_skip_verify = false
ssh_mount_point = "ssh"
allowed_roles = "*"

pam and sshd is the same with the docs

[root@vault ~]# ssh test@172.17.0.2
Password:
Password:
Password:
test@172.17.0.2's password:
Permission denied, please try again.
test@172.17.0.2's password:
Permission denied, please try again.
test@172.17.0.2's password:
Received disconnect from 172.17.0.2 port 22:2: Too many authentication failures
Authentication failed.

*** Thu Sep 30 14:10:21 2021
2021/09/30 14:10:21 ==> WARNING: Dev mode is enabled!
2021/09/30 14:10:21 [INFO] using SSH mount point: ssh
2021/09/30 14:10:21 [INFO] using namespace:
2021/09/30 14:10:21 [INFO] test@172.17.0.2 authenticated!
*** Thu Sep 30 14:10:24 2021
2021/09/30 14:10:25 ==> WARNING: Dev mode is enabled!
2021/09/30 14:10:25 [INFO] using SSH mount point: ssh
2021/09/30 14:10:25 [INFO] using namespace:
2021/09/30 14:10:25 [ERROR]: Error making API request.

URL: PUT http://172.16.142.7:8200/v1/ssh/verify
Code: 400. Errors:

in normal situation,when I execute ssh test@172.17.0.2, remote only return test@172.17.0.2 authenticated!, and then nothing! connection not success

I have same problem. Did you manage to solve this problem?

Not yet. I haven’t found the current problem yet

I’m also very confused. I’ve been confused for more than a day. I hope the boss will give a solution. :wink:

*** Mon Oct 11 11:33:00 2021
2021/10/11 11:33:00 ==> WARNING: Dev mode is enabled!
2021/10/11 11:33:00 [INFO] using SSH mount point: ssh
2021/10/11 11:33:00 [INFO] using namespace:
2021/10/11 11:33:00 [INFO] failed to validate IP: IP did not match any of the network interface addresses. If this was expected, configure the 'allowed_cidr_list' option to allow the IP.
2021/10/11 11:33:00 [ERROR]: IP did not match any of the network interface addresses. If this was expected, configure the 'allowed_cidr_list' option to allow the IP.

This is my log information, different from yours, but in CIDR_ LIST set 0.0.0.0/0 in the list

Is the option “allowed_cidr_list” the same with CIDR_List output?

Did not find where this option can be set ,It seems that there are few examples of “failed to validate IP” errors. I’m very confused

[root@liu ~]# cat /etc/vault-ssh-helper.d/config.hcl
vault_addr = "http://*.*.*.*:8200"
tls_skip_verify = true
ssh_mount_point = "ssh"
allowed_roles = "*"
allowed_cidr_list = "0.0.0.0/0"

https://github.com/hashicorp/vault-ssh-helper

This problem will not occur after adding this option to the configuration file. But I am still in the same dilemma as the landlord. The log shows that the authentication is successful, but I still can’t link it.