goconserver icon indicating copy to clipboard operation
goconserver copied to clipboard

Published 20 hours ago verified publisher icon xcat2

add keyboard-interactive auth method

Open banuchka opened this issue 4 years ago • 2 comments

ssh auth with only Password auth doesn't work for some server's platforms. For example on Dell R520/620/720 where you can't use ssh key auth because of license.

banuchka avatar Apr 09 '20 09:04 banuchka

@banuchka Thank you for the contribution. I do not have access to Dell machines. Is there a way to test your changes on a different type of machine ? Can you explain the problem in a little more detail ?

gurevichmark avatar May 28 '20 18:05 gurevichmark

From some point of time Dell deprecated support for their IDRAC only with password method(not only Dell i think because of security reasons). So if client use only password method we have no luck to get into IDRAC/mgm module, for example:

ssh -v -o PreferredAuthentications=password SOMEHOST -l root ... debug1: Authentications that can continue: password debug1: Next authentication method: password root@SOMEHOST's password: <== asked for password here once Authenticated with partial success. <== debug1: Authentications that can continue: keyboard-interactive <== debug1: No more authentication methods to try. <== root@SOMEHOST: Permission denied (keyboard-interactive). <==

the reason is that the client limit it's methods only with password.

As soon as we just add support for keyboard-interactive method(we don't need to interact different with the host. For example we don't need to enter password interactive or answer questions etc), auth goes well:

ssh -v SOMEHOST -l root debug1: Authentications that can continue: password debug1: Next authentication method: password root@SOMEHOST's password: <== asked for password here once Authenticated with partial success. debug1: Authentications that can continue: keyboard-interactive debug1: Next authentication method: keyboard-interactive debug1: Authentication succeeded (keyboard-interactive). Authenticated to SOMEHOST ([1.2.3.4]:22). /admin1->

I've added support not only for password auth on client side for goconserver and after that I may use ssh auth for my nodes.

@gurevichmark hope I've explained problem, did I?

Maybe it may help someone who is having problems with the same type of issue.

Thanks

UPD: one more example from goconserver's log when trying to use passwd auth for IDRAC where password auth is restricted for security reasons {"file":"github.com/xcat2/goconserver/plugins/sshcmd.go (92)","level":"error","msg":"ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain","node":"www2","time":"2020-06-15T21:4 4:12Z"}

banuchka avatar May 29 '20 06:05 banuchka