Comments (12)
francoismichel, Also how to specify folder/file, where server logs should be stored?
You can do so by setting theSSH3_LOG_FILE
environment variable. By default it is/var/log/ssh3.log
.
Could you add some more info in logging?
Can You provide an example of logging you already have and that does not allow debugging the error ? That will help me to know what additional logging is needed.
from ssh3.
@shizzgar
Are you sure that your config files: authorized_identities in server and oidc_config.json in client are configured as I wrote?
I checked by example in another instance, and all is working. Keycloak client parametes is default, except "Client authentication" is on.
from ssh3.
@vaminakov I was unable to configure a generic redirect URI that would be matched positively. See:
Would you be able to provide a complete walkthrough that allowed you to login to SSH3 successfully via OIDC? Unfortunately the existing documentation is a little sparse around configuring the OIDC provider according to the specification, in so that it is compatible with what the SSH3 server and client expect.
from ssh3.
Folliwing this issue, commit 3c97486 adds more logging to help debugging the auth process.
An error so early in the process makes me think that either the OIDC config file is in cause or the issuer url specified in the CLI does not exactly match the one in the OIDC config file.
Can you try again with the main branch and let me know the result ?
from ssh3.
Hi francoismichel!
I have build from main branch and this is my current log:
9:54PM DBG version 0.1.5-rc5
9:54PM DBG open OIDC config from /home/user/.ssh3/oidc_config.json
9:54PM DBG successfully parsed OIDC config
9:54PM DBG add OIDC auth, 1 issuers in configs
9:54PM DBG issuer https://eiam.example.com/realms/example-stands-vpn/.well-known/openid-configuration does not match issuer URL https://eiam.example.com/realms/example-stands-vpn specified in the command-line
9:54PM DBG dialing QUIC host at 172.19.232.98:444
2024/01/11 21:54:52 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
9:54PM DBG QUIC handshake complete
9:54PM ERR could not dial stand1.example.com:444/testssh3: no suitable identity found
How can i make logs be more verbose?
I want to use keycloak as my oidc provider too.
from ssh3.
I was able to successfully log in using keycloak as OIDC provider.
- Make new client in keycloak with default settings (enable auth) and add localhost as valid redirect url (is that security risk?)
- Add to .ssh3/authorized_identities in server
oidc KEYCLOAK_CLIENT_ID https://KEYCLOAK_DOMAIN/realms/master SERVER_USER
- Add to .ssh3/oidc_config.json in client
[
{
"issuer_url": "https://KEYCLOAK_DOMAIN/realms/master",
"client_id": "KEYCLOAK_CLIENT_ID",
"client_secret": "SECRET"
}
]
Then
./ssh3 -use-oidc https://KEYCLOAK_DOMAIN/realms/master user@server:port/uri
BUT
- client parameters MUST be before server part, if you make -v or -use-oidc in the end, it will not work
- ssh3-server does NOT check local user in .ssh3/authorized_identities (only oidc user), so you may login as ANY user in server, this is a very security risk. Maybe good idea to add additional parameter in authorized_identities - local user, in which allowed to login?
from ssh3.
And another idea. I don't think that storing client id and secret in client part is good - maybe it should be in server, and it send technical info to client while handshaking? So client only need to do ./ssh3 -use-oidc user@server:port/uri
and depending on "user", server will send some info to client from its oidc_config.json.
from ssh3.
vaminakov, could you pleas give a keycloak configuration page screenshot?
What params exactly did you use? I can't set keycloak params properly to make it work...
I set all things as in your instruction, but now i'm gettng unauthorized error...
./ssh3 -use-oidc https://keycloak.example.com/realms/example -v server/ssh
5:55PM DBG version 0.1.5-rc5
5:55PM DBG no OIDC config file specified, use default file: /home/user/.ssh3/oidc_config.json
5:55PM DBG successfully parsed OIDC config
5:55PM DBG add OIDC auth, 1 issuers in configs
5:55PM DBG found issuer https://keycloak.example.com/realms/example matching the issuer specified in the command-line
5:55PM DBG dialing QUIC host at 172.19.232.98:444
2024/01/12 17:55:33 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
5:55PM DBG QUIC handshake complete
5:55PM DBG try OIDC auth to issuer https://keycloak.example.com/realms/example
5:55PM DBG spawning browser at https://keycloak.example.com/realms/example/protocol/openid-connect/auth?client_id=ssh3-oidc&redirect_uri=http%3A%2F%2Flocalhost%3A34193%2Fssh%2F882a56e197d712b2760ce7f0c20555d4b9887a9a195ef85626e0bd9177984667c3dd6b54bb4b3afeaf4ff80c8f2eaacdead17f9060a7a54a28dca05c33295009&response_type=code&scope=openid+email&state=state
5:55PM DBG got token: someTokenReturnedFromKK
5:55PM DBG we only try the first specified auth method for now
5:55PM DBG try the following Identity: raw-bearer-identity
5:55PM DBG send CONNECT request to the server
5:55PM ERR Access denied from the server: unauthorized
5:55PM ERR could not dial server.example.com:444/ssh: Unauthorized
from ssh3.
francoismichel, Also how to specify folder/file, where server logs should be stored?
And is where any ability to increase server logs verbosity?
UPD: Thanks, i get it: #68 (comment), but this is the same as -v
flag. Could you add some more info in logging?
from ssh3.
ssh3-server does NOT check local user in .ssh3/authorized_identities (only oidc user), so you may login as ANY user in server, this is a very security risk. Maybe good idea to add additional parameter in authorized_identities - local user, in which allowed to login?
The server only checks the .ssh3/authorized_identities
of the local user. If you log as the user my-user
, the server only reads the identities file under /home/my-user/.ssh3/authorized_identities
, so one can only log as the my-user
local user if the OIDC identity line is only present in /home/my-user/.ssh3/authorized_identities
.
from ssh3.
And another idea. I don't think that storing client id and secret in client part is good - maybe it should be in server, and it send technical info to client while handshaking? So client only need to do ./ssh3 -use-oidc user@server:port/uri and depending on "user", server will send some info to client from its oidc_config.json.
I agree that storing the client/secret combo in a file on the client is a bad idea. There are several solutions I thought of. Your proposition is a good candidate. Another idea would be to rely on the operating system's secure keyring.
from ssh3.
@shizzgar Are you sure that your config files: authorized_identities in server and oidc_config.json in client are configured as I wrote? I checked by example in another instance, and all is working. Keycloak client parametes is default, except "Client authentication" is on.
Thanks, i'll try today again)
from ssh3.
Related Issues (20)
- Certs by SPIRE
- Implement mTLS
- Remove unnecessary HTTP layer HOT 3
- Unable to install on Termux HOT 3
- Erratic behavior when SSH-ing with IPv6 hosts HOT 1
- [BeforeSuite] [FAILED] [8.752 seconds]
- Add support for passkeys HOT 2
- SSH version 3 exists already (known as SSH G3 since 2005) HOT 1
- proxy-jump error HOT 17
- SSH Agent forwarding does not work
- Not an IETF draft (yet) HOT 1
- Using a different QUIC implementation HOT 2
- Groups not being set HOT 1
- Better (?) IP matching scheme for self-signed certs HOT 1
- Static redirect URIs required by OIDC specification HOT 11
- Problem: WRN could not get window size: The handle is invalid. on Windows
- save session
- Support reading config from `$XDG_CONFIG_HOME`
- Porting to Android as shared lib
- Suitable identity not found
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ssh3.