Solved SSH AuthorizedKeysCommand failed status 1

S

sondreba

I am trying to set up a FreeBSD server so that users can log in using their public keys stored in an LDAP server.
I have a similar setup on AlmaLinux, where I encountered the same issue I’m now facing on FreeBSD. On AlmaLinux, the issue was resolved by disabling SELinux.


The problem is that I’m using AuthorizedKeysCommand in sshd, which runs a script to retrieve the public key from LDAP.
The same script is used on AlmaLinux. When I run the script manually, it correctly returns the user's key. This also works on FreeBSD when run manually.

However, when attempting to log in via SSH on FreeBSD, I get the following error in /var/log/auth.log:
Code: 
Jun 11 14:15:15 s_storage_users sshd[52893]: Connection from x.x.x.x port 48728 on x.x.x.x port 22                                                                                                                                                                                                       
Jun 11 14:15:15 s_storage_users sshd[52893]: AuthorizedKeysCommand /usr/local/bin/ldap-authorized-keys u155a failed, status 1                                                                                                                                                                                         
Jun 11 14:15:15 s_storage_users sshd[52893]: Failed publickey for u155a from x.x.x.x port 48728 ssh2: RSA SHA256:fjW6/Nnlwj0oonyXWakngQgn8BmkxqZ4jfetmWqmMGA                                                                                                                                                   
Jun 11 14:15:15 s_storage_users sshd[52893]: AuthorizedKeysCommand /usr/local/bin/ldap-authorized-keys u155a failed, status 1                                                                                                                                                                                         
Jun 11 14:15:15 s_storage_users sshd[52893]: Failed publickey for u155a from x.x.x.x port 48728 ssh2: ED25519 SHA256:8SMsrGz+XC9lUUFZjfEa5N20AAJ93NRtZZsZPTrunzg                                                                                                                                               
Jun 11 14:15:15 s_storage_users sshd[52893]: error: maximum authentication attempts exceeded for u155a from x.x.x.x port 48728 ssh2 [preauth]                                                                                                                                                                   
Jun 11 14:15:15 s_storage_users sshd[52893]: Disconnecting authenticating user u155a x.x.x.x port 48728: Too many authentication failures [preauth]

sshd config:

Code: 
PubkeyAuthentication yes                                                                                                                                                                                                                                                                                               
LogLevel DEBUG3                                                                                                                                                                                                                                                                                                        
AuthorizedKeysCommand /usr/local/bin/ldap-authorized-keys %u                                                                                                                                                                                                                                                           
AuthorizedKeysCommandUser root

File perms:
Code: 
-rwxr-xr-x  1 root wheel 5441 Jun 11 13:01 /usr/local/bin/ldap-authorized-keys
 
sondreba said:
Code: 
AuthorizedKeysCommandUser root
Click to expand...
That's probably a bad idea.

Code: 
     AuthorizedKeysCommandUser
             Specifies the user under whose account the AuthorizedKeysCommand
             is run.  It is recommended to use a dedicated user that has no
             other role on the host than running authorized keys commands.  If
             AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser
             is not, then sshd(8) will refuse to start.
 
SirDice said:
That's probably a bad idea.

Code: 
     AuthorizedKeysCommandUser
             Specifies the user under whose account the AuthorizedKeysCommand
             is run.  It is recommended to use a dedicated user that has no
             other role on the host than running authorized keys commands.  If
             AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser
             is not, then sshd(8) will refuse to start.
Click to expand...
Iknow it was just for testing. Do you have a suggestion to the issue?
 
covacat said:
set AuthorizedKeysCommand to a shell script that execs the binary /usr/local/bin/ldap-authorized-keys
and redirect stderr and stdout to some file
you may get more info this way
Click to expand...
Thanks! God idea i solved the issue with setting the full path for ldapsearch.
 
You must log in or register to reply here.
Back
Top