Login to SFTP/SSH using AD

[alekstef]

Hi!

I want to use SFTP in order to allow remote users to access their content from outside my local network. The problem is, using an AD account to login to SFTP/SSH does not seem to work. I also tried with regular FTP / FTPS, but no luck. Honestly I'd rather use SFTP. Does anybody here know if it is possible in some way to login to SFTP using AD accounts?

I'm on FreeNAS 9.2.1.7-RELEASE-x64.

- Aleksander

 

[anodos]

Hi!

I want to use SFTP in order to allow remote users to access their content from outside my local network. The problem is, using an AD account to login to SFTP/SSH does not seem to work. I also tried with regular FTP / FTPS, but no luck. Honestly I'd rather use SFTP. Does anybody here know if it is possible in some way to login to SFTP using AD accounts?

I'm on FreeNAS 9.2.1.7-RELEASE-x64.

- Aleksander

To directly answer your question. Yes, it is possible to use an AD account to authenticate against an openssh server. You can use "ssh -vv username" to figure out exactly where things are breaking and maybe fix your authentication problems. You are going a bit beyond what people typically use FreeNAS / AD integration for.

That being said said, typically a VPN is the proper answer to this sort of problem. If these are files in a CIFS share then you may encounter all sorts of weird permissions problems when using SFTP. It's better to stick with one protocol per dataset.

 

[alekstef]

Thanks for the reply, anodos!

That being said said, typically a VPN is the proper answer to this sort of problem. If these are files in a CIFS share then you may encounter all sorts of weird permissions problems when using SFTP. It's better to stick with one protocol per dataset.

I realise that VPN is the proper way to go, completely agree with you there. The reason I am not going for VPN in this case, is that there is some bug with the OSX IPSec implementation, which makes the VPN connection time out every one and a half hours or so. Since all remote users are on Macs, and they usually transfer larger files, it is impossible to use VPN. Unfortunately. But that's a whole other topic.

To directly answer your question. Yes, it is possible to use an AD account to authenticate against an openssh server. You can use "ssh -vv username" to figure out exactly where things are breaking and maybe fix your authentication problems. You are going a bit beyond what people typically use FreeNAS / AD integration for.

I tried to connect to the FreeNAS server this way: ssh -p 77 -vv alekstef@my.hostname.com

Where alekstef is the AD username. Basically, this is the relevant part of what came out:

alekstef@my.hostname.com's password:

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

Permission denied, please try again

Then I checked /var/auth.log, which outputs the following:

Sep 23 12:27:55 egil sshd[2920]: Invalid user alekstef from 10.21.21.129
Sep 23 12:27:55 egil sshd[2920]: input_userauth_request: invalid user alekstef [preauth]
Sep 23 12:28:01 egil sshd[2920]: Failed password for invalid user alekstef from 10.21.21.129 port 51139 ssh2
Sep 23 12:28:53 egil sshd[2920]: Connection closed by 10.21.21.129 [preauth]

I also noticed that /etc/pam.d/sshd is configured to allow AD authentication (as far as I can see), so I really can't seem to understand the problem. Is it necessary to configure /etc/pam.d/system with these same parameters in order to be able to login locally with AD-accounts? Any ideas?

Thanks again!

 

[anodos]

I just tested it. It works fine for me, but I think you are inputting your username wrong. The error you posted indicates that your username doesn't exist. Have you tried using "alekstef" instead of "alekstef@my.hostname.com"? (This is the way things work on my FreeNAS box that is an AD member server). For reference, here are a few of my config files:

Code:

$ cat /etc/ssh/sshd_config
Protocol 2
UseDNS no
Subsystem       sftp    /usr/libexec/sftp-server -l ERROR -f AUTH
ChallengeResponseAuthentication no
ClientAliveCountMax 3
ClientAliveInterval 15
NoneEnabled yes
Port 22
AllowTcpForwarding no
Compression no
PasswordAuthentication yes
PubkeyAuthentication yes 

Code:

$ cat /etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.18 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_winbind.so   silent try_first_pass krb5_auth krb5_ccache_type=FILE
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so
session         required        /usr/local/lib/pam_mkhomedir.so

# password
password        sufficient      /usr/local/lib/pam_winbind.so   try_first_pass krb5_auth krb5_ccache_type=FILE
password        required        pam_unix.so             no_warn try_first_pass

Let me know if you want me to post any other config files. Is there any technical reason you can't use OpenVPN?

 

[alekstef]

Thanks, as far as I can see, our config files are the same, except I changed the SSH port to 77. Could you post your /etc/pam.d/system file? I'd like to see if you have pam_winbind in there.

I tried logging in with ssh -vv -p 77 -l alekstef my.hostname.com, didn't work. I get the same response. Also tried using HQ\alekstef and HQ/alekstef (HQ being the NetBIOS domain name). Very odd, especially if it works for you. My FreeNAS box is not functioning as a DC, though, it is merely a member. Maybe the problem is related to that somehow.

I'm not sure about OpenVPN. The IPSec was set up on the pfsense router by someone else, and to be honest, I don't know much about VPN in general. But I believe the guy who set it up, had a good reason for choosing IPSec. I just don't remember what it was.

 

[anodos]

Thanks, as far as I can see, our config files are the same, except I changed the SSH port to 77. Could you post your /etc/pam.d/system file? I'd like to see if you have pam_winbind in there.

I tried logging in with ssh -vv -p 77 -l alekstef my.hostname.com, didn't work. I get the same response. Also tried using HQ\alekstef and HQ/alekstef (HQ being the NetBIOS domain name). Very odd, especially if it works for you. My FreeNAS box is not functioning as a DC, though, it is merely a member. Maybe the problem is related to that somehow.

I'm not sure about OpenVPN. The IPSec was set up on the pfsense router by someone else, and to be honest, I don't know much about VPN in general. But I believe the guy who set it up, had a good reason for choosing IPSec. I just don't remember what it was.

To clarify - my server is a member server. It is not a DC. Try logging in with just your username "alekstef". That is how I log into my server (i.e. no hostname, domain name, etc.).

Code:

$ cat /etc/pam.d/system
#
# $FreeBSD: src/etc/pam.d/system,v 1.3 2009/10/05 09:28:54 des Exp $
#
# System-wide defaults
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

On a side note, it may be good to document the reason why the previous guy chose IPSEC over OpenVPN. Documenting everything about your network is a good way of avoiding problems down the road. I've personally had no problems using OpenVPN with OSX (I used it to stream my netflix when I was an aid worker in a developing country). It is very stable.

 

[alekstef]

To clarify - my server is a member server. It is not a DC. Try logging in with just your username "alekstef". That is how I log into my server (i.e. no hostname, domain name, etc.).

Ah, ok. That is what I tried to do - ssh -p 77 -vv -l alekstef my.hostname.com - still get the same result. Very odd. Our /etc/pam.d/system files are the same as well.

On a side note, it may be good to document the reason why the previous guy chose IPSEC over OpenVPN. Documenting everything about your network is a good way of avoiding problems down the road. I've personally had no problems using OpenVPN with OSX (I used it to stream my netflix when I was an aid worker in a developing country). It is very stable.

Just asked him, and the reason was that with OpenVPN you need a separate VPN client, which I suppose is a bit more cumbersome than just using the internal IPSec implementation. Especially since we often set up these connection on-the-fly. But maybe that is what we need to do, use a separate client, and maybe also switch to OpenVPN. Nevertheless, I'd love to get this working. Am quite curious why it works on your setup and not mine...