when I testing vault ssh-otp following the topic ssh-otp,I cannot connect to remote server sucessfully,errors:
output in local
# ssh test@172.17.0.2
Password:
Password:
Authentication failed.
log at remote
# vault-ssh-helper -verify-only -dev -config /etc/vault-ssh-helper.d/config.hcl
2021/09/30 13:55:21 ==> WARNING: Dev mode is enabled!
2021/09/30 13:55:21 [INFO] using SSH mount point: ssh
2021/09/30 13:55:21 [INFO] using namespace:
2021/09/30 13:55:21 [INFO] vault-ssh-helper verification successful!
*** Thu Sep 30 13:55:33 2021
2021/09/30 13:55:34 ==> WARNING: Dev mode is enabled!
2021/09/30 13:55:34 [INFO] using SSH mount point: ssh
2021/09/30 13:55:34 [INFO] using namespace:
2021/09/30 13:55:34 [INFO] test@172.17.0.2 authenticated!
I don’t know what’s wrong with it.
here is my configure:
# vault read ssh/roles/otp_key_role
Key Value
--- -----
allowed_users n/a
cidr_list 0.0.0.0/0
default_user test
exclude_cidr_list n/a
key_type otp
port 22
# vault policy read test
# To list SSH secrets paths
path "ssh/*" {
capabilities = [ "list" ]
}
# To use the configured SSH secrets engine otp_key_role role
path "ssh/creds/otp_key_role" {
capabilities = ["create", "read", "update"]
}
# vault read auth/userpass/users/test
Key Value
--- -----
policies [test]
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [test]
token_ttl 0s
token_type default
ssh-heper remote, I didn't use tls
# cat /etc/vault-ssh-helper.d/config.hcl
vault_addr = "http://172.16.142.7:8200/"
tls_skip_verify = false
ssh_mount_point = "ssh"
allowed_roles = "*"
pam and sshd is the same with the docs
[root@vault ~]# ssh test@172.17.0.2
Password:
Password:
Password:
test@172.17.0.2's password:
Permission denied, please try again.
test@172.17.0.2's password:
Permission denied, please try again.
test@172.17.0.2's password:
Received disconnect from 172.17.0.2 port 22:2: Too many authentication failures
Authentication failed.
*** Thu Sep 30 14:10:21 2021
2021/09/30 14:10:21 ==> WARNING: Dev mode is enabled!
2021/09/30 14:10:21 [INFO] using SSH mount point: ssh
2021/09/30 14:10:21 [INFO] using namespace:
2021/09/30 14:10:21 [INFO] test@172.17.0.2 authenticated!
*** Thu Sep 30 14:10:24 2021
2021/09/30 14:10:25 ==> WARNING: Dev mode is enabled!
2021/09/30 14:10:25 [INFO] using SSH mount point: ssh
2021/09/30 14:10:25 [INFO] using namespace:
2021/09/30 14:10:25 [ERROR]: Error making API request.
URL: PUT http://172.16.142.7:8200/v1/ssh/verify
Code: 400. Errors:
in normal situation,when I execute ssh test@172.17.0.2
, remote only return test@172.17.0.2 authenticated!
, and then nothing! connection not success