Bug #14175
openLDAP authentication for SSH fails
Added by Georgiy Tyutyunnik almost 2 years ago. Updated over 1 year ago.
0%
Description
LDAP authentication fails for SSH user authentication via LDAP with error (Invalid credentials).
Same user successfully authenticates to GUI.
User group with shell access is defined on pfSense and recognized at LDAP login, Shell Authentication Group DN is defined.
Logs for successful gui and failed ssh logins are attached.
Updated by Lev Prokofev almost 2 years ago
Can confirm the issue.
23-03-24 21:18:47.864840+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Attempting to authenticate boba on LDAP_WIN 2023-03-24 21:18:47.864903+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: URI: ldap://192.168.200.41:389 (v3) 2023-03-24 21:18:47.864936+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Base DN: DC=tech,DC=local 2023-03-24 21:18:47.864967+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Scope: subtree 2023-03-24 21:18:47.864999+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Auth Bind DN: CN=bind,CN=Users,DC=tech,DC=local 2023-03-24 21:18:47.865030+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Container: OU=blah,DC=TECH,DC=LOCAL;OU=dah,OU=blah,DC=TECH,DC=LOCAL;CN=Users,DC=TECH,DC=LOCAL 2023-03-24 21:18:47.865062+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Attrs: Name: givenname / Group: memberOf 2023-03-24 21:18:47.865096+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Extended Query: 2023-03-24 21:18:47.865128+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Filter: (givenname=boba) 2023-03-24 21:18:47.865162+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Group Filter: 2023-03-24 21:18:47.865250+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: LDAP connection error flag: false 2023-03-24 21:18:47.867612+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Now Searching for boba in directory. 2023-03-24 21:18:47.867682+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Now searching in server LDAP_WIN, container OU=blah,DC=TECH,DC=LOCAL with filter (givenname=boba). 2023-03-24 21:18:47.868400+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Now searching in server LDAP_WIN, container OU=dah,OU=blah,DC=TECH,DC=LOCAL with filter (givenname=boba). 2023-03-24 21:18:47.869010+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Now searching in server LDAP_WIN, container CN=Users,DC=TECH,DC=LOCAL with filter (givenname=boba). 2023-03-24 21:18:47.871954+03:00 php-fpm 42033 /diag_authentication.php: LDAP Debug: Logged in successfully as boba via LDAP server LDAP_WIN with DN = CN=boba,CN=Users,DC=TECH,DC=LOCAL. 2023-03-24 21:18:56.432590+03:00 sshd 70310 Invalid user boba from x.x.x.x port 5952 2023-03-24 21:18:56.433279+03:00 sshguard 92433 Attack from "x.x.x.x" on service SSH with danger 10. 2023-03-24 21:18:56.953246+03:00 sshd 70310 Postponed keyboard-interactive for invalid user boba from x.x.x.x port 5952 ssh2 [preauth] 2023-03-24 21:19:01.267821+03:00 sshd 70310 pam_ldap: error trying to bind as user "CN=boba,CN=Users,DC=TECH,DC=LOCAL" (Invalid credentials) 2023-03-24 21:19:01.276544+03:00 sshd 70310 error: PAM: Authentication error for illegal user boba from x.x.x.x 2023-03-24 21:19:01.276981+03:00 sshguard 92433 Attack from "x.x.x.x" on service SSH with danger 10. 2023-03-24 21:19:01.277303+03:00 sshd 70310 Failed keyboard-interactive/pam for invalid user boba from x.x.x.x port 5952 ssh2 2023-03-24 21:19:01.625414+03:00 sshd 70310 Postponed keyboard-interactive for invalid user boba from x.x.x.x port 5952 ssh2 [preauth]
Updated by Jim Pingle over 1 year ago
Did the same configuration work before 23.01?
Updated by Lev Prokofev over 1 year ago
Tested on 2.5.1 and get the same auth error on an attempt to SSH.
Apr 7 06:44:12 sshd 63230 Invalid user boba from 10.150.0.2 port 5761
Apr 7 06:44:12 sshguard 63886 Attack from "10.150.0.2" on service SSH with danger 10.
Apr 7 06:44:12 sshd 63230 Postponed keyboard-interactive for invalid user boba from 10.150.0.2 port 5761 ssh2 [preauth]
Apr 7 06:44:16 sshd 63355 pam_ldap: error trying to bind as user "CN=boba,CN=Users,DC=TECH,DC=LOCAL" (Invalid credentials)
Apr 7 06:44:16 sshd 63230 error: PAM: Authentication error for illegal user boba from 10.150.0.2
Apr 7 06:44:16 sshd 63230 Failed keyboard-interactive/pam for invalid user boba from 10.150.0.2 port 5761 ssh2
Apr 7 06:44:16 sshguard 63886 Attack from "10.150.0.2" on service SSH with danger 10.
Apr 7 06:44:16 sshd 63230 Postponed keyboard-interactive for invalid user boba from 10.150.0.2 port 5761 ssh2 [preauth]
Apr 7 06:44:20 sshd 63562 pam_ldap: error trying to bind as user "CN=boba,CN=Users,DC=TECH,DC=LOCAL" (Invalid credentials)
Apr 7 06:44:20 sshd 63230 error: PAM: Authentication error for illegal user boba from 10.150.0.2
Apr 7 06:44:20 sshd 63230 Failed keyboard-interactive/pam for invalid user boba from 10.150.0.2 port 5761 ssh2
Apr 7 06:44:20 sshguard 63886 Attack from "10.150.0.2" on service SSH with danger 10.
Apr 7 06:44:20 sshguard 63886 Blocking "10.150.0.2/32" for 120 secs (3 attacks in 8 secs, after 1 abuses over 8 secs.)
Apr 7 06:44:52 login 74453 login on ttyv0 as root
Apr 7 06:46:48 nginx 2023/04/07 06:46:48 [crit] 18837#100152: *3 SSL_write() failed (13: Permission denied) while processing HTTP/2 connection, client: 10.150.0.2, server: 0.0.0.0:443
Updated by Lev Prokofev over 1 year ago
The same on 2.6
Apr 7 07:48:07 sshd 35755 Invalid user boba from 10.150.0.2 port 13563
Apr 7 07:48:07 sshguard 85963 Attack from "10.150.0.2" on service SSH with danger 10.
Apr 7 07:48:07 sshd 35755 Postponed keyboard-interactive for invalid user boba from 10.150.0.2 port 13563 ssh2 [preauth]
Apr 7 07:48:11 sshd 36391 pam_ldap: error trying to bind as user "CN=boba,CN=Users,DC=TECH,DC=LOCAL" (Invalid credentials)
Apr 7 07:48:11 sshd 35755 error: PAM: Authentication error for illegal user boba from 10.150.0.2
Apr 7 07:48:11 sshd 35755 Failed keyboard-interactive/pam for invalid user boba from 10.150.0.2 port 13563 ssh2
Apr 7 07:48:11 sshguard 85963 Attack from "10.150.0.2" on service SSH with danger 10.
Apr 7 07:48:11 sshd 35755 Postponed keyboard-interactive for invalid user boba from 10.150.0.2 port 13563 ssh2 [preauth]
Updated by Marcos M over 1 year ago
- Priority changed from Normal to High
With Use Authentication Server for Shell Authentication
checked, this issue can prevent the firewall from booting correctly. The following is shown in the console:
Assertion failed: (lr->lr_refcnt == 1), function ldap_do_free_request, file request.c, line 970. Netgate pfSense Plus is now shutting down ...
Updated by Emre K over 1 year ago
Marcos M wrote in #note-6:
With
Use Authentication Server for Shell Authentication
checked, this issue can prevent the firewall from booting correctly. The following is shown in the console:
[...]
I am also getting similar weird responses from pfsense when trying to login via SSH by LDAP.
I can login to gui without a problem. But for ssh I had to define attributes on the DC and even then it is not consistent.
https://www.reddit.com/r/PFSENSE/comments/15hvp3w/microsoft_ad_ldap_shell_authentication/