Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use_pam_auth doesn't work with interactive password input #29628

Closed
badsmoke opened this issue Jul 26, 2023 · 7 comments
Closed

use_pam_auth doesn't work with interactive password input #29628

badsmoke opened this issue Jul 26, 2023 · 7 comments
Labels
bug PAM Label related to Pluggable Authentication Module (PAM) Submethod.

Comments

@badsmoke
Copy link

badsmoke commented Jul 26, 2023
edited
Loading

Expected behavior:

use_pam_auth: true in the teleport.yaml activates the password input

Current behavior:

nothing appears

when you press enter an error occurs

disconnected
Failed to launch: Authentication failure.
Process exited with status 255

Bug details:

  • Teleport version: 13.2.3
  • Recreation steps:

/etc/teleport.yaml

activate pam and user_pam_auth

version: v3
teleport:
  nodename: loki
  data_dir: /var/lib/teleport
  join_params:
    token_name: asdasdasd
    method: token
  proxy_server: web.teleport.domain.com:443
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: sha256:asdasdas
  diag_addr: ""
auth_service:
  enabled: "no"
ssh_service:
  enabled: "yes"
  pam:
      enabled: true
      service_name: "sshd"
      use_pam_auth: true

  labels:
    teleport.internal/resource-id: asdasd
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "no"
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}
  • Debug logs
-- Logs begin at Sat 2023-07-22 04:21:25 UTC. --
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z INFO [PROC:1]    Connecting to the cluster web.teleport.domain.com with TLS client certificate. pid:1085537.1 service/connect.go:258
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Attempting to connect to Auth Server through tunnel. pid:1085537.1 proxy-server:web.teleport.domain.com:443 service/connect.go:1128
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU             Attempting GET web.teleport.domain.com:443/webapi/find webclient/webclient.go:129
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU             Attempting GET web.teleport.domain.com:443/webapi/find webclient/webclient.go:129
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:301
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:301
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Connected to Auth Server through tunnel. pid:1085537.1 proxy-server:web.teleport.domain.com:443 service/connect.go:1135
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Connected client: Identity(Node, cert(9cb30b93-3fb2-4c37-ba8f-0f95632f7caf.web.teleport.domain.com issued by web.teleport.domain.com:319698206999730299659496633421984842195),trust root(web.teleport.domain.com:319698206999730299659496633421984842195)) pid:1085537.1 service/connect.go:204
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Connected to Auth Server through tunnel. pid:1085537.1 proxy-server:web.teleport.domain.com:443 service/connect.go:1135
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Connected client: Identity(Instance, cert(9cb30b93-3fb2-4c37-ba8f-0f95632f7caf.web.teleport.domain.com issued by web.teleport.domain.com:319698206999730299659496633421984842195),trust root(web.teleport.domain.com:319698206999730299659496633421984842195)) pid:1085537.1 service/connect.go:204
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z INFO [PROC:1]    Instance: features loaded from auth server: Kubernetes:true App:true DB:true Desktop:true 18:1 19:""  pid:1085537.1 service/connect.go:92
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Broadcasting event. event:InstanceIdentity pid:1085537.1 service/supervisor.go:383
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Service is completed and removed. pid:1085537.1 service:register.instance service/supervisor.go:252
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [INSTANCE:] Received event "InstanceIdentity". pid:1085537.1 service/service.go:528
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z INFO [INSTANCE:] Successfully registered instance client. pid:1085537.1 service/service.go:2137
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Broadcasting event. event:InstanceReady pid:1085537.1 service/supervisor.go:383
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Service is completed and removed. pid:1085537.1 service:instance.init service/supervisor.go:252
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z INFO [PROC:1]    Node: features loaded from auth server: Kubernetes:true App:true DB:true Desktop:true 18:1 19:""  pid:1085537.1 service/connect.go:92
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Broadcasting event. event:SSHIdentity pid:1085537.1 service/supervisor.go:383
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Service is completed and removed. pid:1085537.1 service:register.node service/supervisor.go:252
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [NODE:1]    Received event "SSHIdentity". pid:1085537.1 service/service.go:528
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [PROC:1]    Creating in-memory backend for [node]. pid:1085537.1 service/service.go:1888
Jul 26 13:27:11 loki teleport[1085537]: 2023-07-26T13:27:11Z DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:301
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [NODE:1:CA] Cache "node" first init succeeded. cache/cache.go:810
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [BPF]       Enhanced session recording is not enabled, skipping. bpf/bpf.go:129
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [RESTRICTE] Restricted session is not enabled, skipping. restrictedsession/restricted.go:95
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [NODE:1]    Starting watch. pid:1085537.1 resource-kind:lock services/watcher.go:210
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [SSH:NODE]  Supported ciphers: ["[email protected]" "[email protected]" "aes128-ctr" "aes192-ctr" "aes256-ctr"]. sshutils/server.go:256
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [SSH:NODE]  Supported KEX algorithms: ["curve25519-sha256" "[email protected]" "ecdh-sha2-nistp256" "ecdh-sha2-nistp384" "ecdh-sha2-nistp521" "diffie-hellman-group14-sha256"]. sshutils/server.go:266
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [SSH:NODE]  Supported MAC algorithms: ["[email protected]" "hmac-sha2-256"]. sshutils/server.go:276
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO             debug -> starting control-stream based heartbeat. regular/sshserver.go:817
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROXY:AGE] Starting agent pool 9cb30b93-3fb2-4c37-ba8f-0f95632f7caf.web.teleport.domain.com.web.teleport.domain.com... cluster:web.teleport.domain.com reversetunnel/agentpool.go:246
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [NODE:1]    Service is starting in tunnel mode. pid:1085537.1 service/service.go:2400
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Broadcasting event. event:NodeReady pid:1085537.1 service/supervisor.go:383
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Broadcasting mapped event. in:NodeReady out:EventMapping(in=[InstanceReady NodeReady], out=TeleportReady) pid:1085537.1 service/supervisor.go:408
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [PROC:1]    The new service has started successfully. Starting syncing rotation status with period 10m0s. pid:1085537.1 service/connect.go:687
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [UPLOAD:1]  starting upload completer service pid:1085537.1 service/service.go:2463
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [UPLOAD:1]  upload completer will use role Node pid:1085537.1 service/service.go:2470
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log. pid:1085537.1 service/service.go:2503
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload. pid:1085537.1 service/service.go:2503
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/streaming. pid:1085537.1 service/service.go:2503
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/streaming/default. pid:1085537.1 service/service.go:2503
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log. pid:1085537.1 service/service.go:2503
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload. pid:1085537.1 service/service.go:2503
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/corrupted. pid:1085537.1 service/service.go:2503
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/corrupted/default. pid:1085537.1 service/service.go:2503
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Adding service to supervisor. pid:1085537.1 service:fileuploader.service service/supervisor.go:214
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Adding service to supervisor. pid:1085537.1 service:fileuploader.shutdown service/supervisor.go:214
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Adding service to supervisor. pid:1085537.1 service:fileuploadcompleter.service service/supervisor.go:214
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Adding service to supervisor. pid:1085537.1 service:fileuploadcompleter.shutdown service/supervisor.go:214
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Service is completed and removed. pid:1085537.1 service:common.upload service/supervisor.go:252
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Service has started. pid:1085537.1 service:fileuploadcompleter.shutdown service/supervisor.go:275
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Service has started. pid:1085537.1 service:fileuploader.service service/supervisor.go:275
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU             'teleport-service' group not found, not deleting users srv/usermgmt.go:305
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Service has started. pid:1085537.1 service:fileuploader.shutdown service/supervisor.go:275
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROC:1]    Service has started. pid:1085537.1 service:fileuploadcompleter.service service/supervisor.go:275
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [UPLOAD]    Scanned 1 uploads, started 1, found 0 corrupted in /var/lib/teleport/log/upload/streaming/default. filesessions/fileasync.go:270
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROXY:AGE] Runtime config: tunnel_strategy: agent_mesh connection_count: 1 cluster:web.teleport.domain.com reversetunnel/agentpool.go:323
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROXY:AGE] Starting agent {web.teleport.domain.com:443 tcp } leaseID:1 target:web.teleport.domain.com:443 cluster:web.teleport.domain.com reversetunnel/agent.go:293
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROXY:AGE] Changing state initial -> connecting. leaseID:1 target:web.teleport.domain.com:443 cluster:web.teleport.domain.com reversetunnel/agent.go:281
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:301
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [UPLOAD]    Session upload completed. duration:69.019674ms session-id:eb60b0ac-70c9-4e3e-97ac-06ecd00bafb8 filesessions/fileasync.go:436
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROXY:AGE] Changing state connecting -> connected. leaseID:1 target:web.teleport.domain.com:443 cluster:web.teleport.domain.com reversetunnel/agent.go:281
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROXY:AGE] Active agent count: 1 cluster:web.teleport.domain.com reversetunnel/agentpool.go:450
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROXY:AGE] Active agent count: 1 cluster:web.teleport.domain.com reversetunnel/agentpool.go:450
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROXY:AGE] Discovery request channel opened: teleport-discovery. leaseID:1 target:web.teleport.domain.com:443 cluster:web.teleport.domain.com reversetunnel/agent.go:601
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROXY:AGE] handleDiscovery requests channel. leaseID:1 target:web.teleport.domain.com:443 cluster:web.teleport.domain.com reversetunnel/agent.go:624
Jul 26 13:27:12 loki teleport[1085537]: 2023-07-26T13:27:12Z DEBU [PROXY:AGE] Received discovery request: [11bf3c51-3547-4198-8cfb-56eee4546477] leaseID:1 target:web.teleport.domain.com:443 cluster:web.teleport.domain.com reversetunnel/agent.go:649
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [PROXY:AGE] Transport request: teleport-transport. leaseID:1 target:web.teleport.domain.com:443 cluster:web.teleport.domain.com reversetunnel/agent.go:570
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [PROXY:AGE] Received out-of-band proxy transport request for @local-node [9cb30b93-3fb2-4c37-ba8f-0f95632f7caf.web.teleport.domain.com]. cluster:web.teleport.domain.com reversetunnel/transport.go:199
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [PROXY:AGE] Handing off connection to a local "node" service. cluster:web.teleport.domain.com reversetunnel/transport.go:274
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      conn(public-ip:443->10.1.0.182:56424, user=username) auth attempt fingerprint:[email protected] SHA256:thghpxf5GuH+mDf3bDN1YsMKZ8KOsW31HKmC/dE4OEo local:10.1.0.182:56424 remote:public-ip:443 user:username srv/authhandlers.go:291
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      conn(public-ip:443->10.1.0.182:56424, user=username) auth attempt with key [email protected] SHA256:thghpxf5GuH+mDf3bDN1YsMKZ8KOsW31HKmC/dE4OEo, &ssh.Certificate{Nonce:[]uint8{0xde, 0x5, 0x5b, 0x68, 0xd8, 0x66, 0x55, 0x5e, 0xfc, 0xbc, 0x69, 0xe2, 0xbf, 0xce, 0x9f, 0xeb, 0x50, 0xe3, 0xf5, 0x40, 0x7e, 0x97, 0x91, 0xac, 0x90, 0x19, 0x41, 0x70, 0x9e, 0xe6, 0x48, 0x14}, Key:(*ssh.rsaPublicKey)(0xc0014f0920), Serial:0x0, CertType:0x1, KeyId:"admin", ValidPrincipals:[]string{"domain", "-teleport-internal-join"}, ValidAfter:0x64c11e7e, ValidBefore:0x64c1b17f, Permissions:ssh.Permissions{CriticalOptions:map[string]string{}, Extensions:map[string]string{"login-ip":"24.134.51.105", "permit-agent-forwarding":"", "permit-port-forwarding":"", "permit-pty":"", "private-key-policy":"none", "teleport-roles":"{\"version\":\"v1\",\"roles\":[\"access\",\"editor\"]}", "teleport-route-to-cluster":"web.teleport.domain.com", "teleport-traits":"{\"aws_role_arns\":null,\"azure_identities\":null,\"db_names\":null,\"db_users\":null,\"gcp_service_accounts\":null,\"kubernetes_groups\":null,\"kubernetes_users\":null,\"logins\":[\"domain\"],\"windows_logins\":null}"}}, Reserved:[]uint8{}, SignatureKey:(*ssh.rsaPublicKey)(0xc0014f0960), Signature:(*ssh.Signature)(0xc0014b4bc0)} fingerprint:[email protected] SHA256:thghpxf5GuH+mDf3bDN1YsMKZ8KOsW31HKmC/dE4OEo local:10.1.0.182:56424 remote:public-ip:443 user:username srv/authhandlers.go:294
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Successfully authenticated fingerprint:[email protected] SHA256:thghpxf5GuH+mDf3bDN1YsMKZ8KOsW31HKmC/dE4OEo local:10.1.0.182:56424 remote:public-ip:443 user:username srv/authhandlers.go:381
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Checking permissions for (admin,username) to login to node with RBAC checks. srv/authhandlers.go:546
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [RBAC]      Access to node "9cb30b93-3fb2-4c37-ba8f-0f95632f7caf" granted, allow rule in role "access" matched. services/role.go:2411
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [SSH:NODE]  Incoming connection public-ip:443 -> 10.1.0.182:56424 version: SSH-2.0-Go, certtype: "user" sshutils/server.go:478
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [KEEPALIVE] Starting keep-alive loop with interval 5m0s and max count 3. srv/keepalive.go:64
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Handling request env, want reply true. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1517
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Handling request env, want reply true. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1517
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Handling request env, want reply true. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1517
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Handling request env, want reply true. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1517
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU             Will create new session for SSH connection public-ip:443. srv/ctx.go:558
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Handling request env, want reply true. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1517
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU             Will create new session for SSH connection public-ip:443. srv/ctx.go:558
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Handling request env, want reply true. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1517
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU             Will create new session for SSH connection public-ip:443. srv/ctx.go:558
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Handling request [email protected], want reply true. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1517
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Starting agent server for Teleport user admin and socket /tmp/teleport-3249632757/teleport-1085537.socket. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1034
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU             Will create new session for SSH connection public-ip:443. srv/ctx.go:558
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Handling request pty-req, want reply true. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1517
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Requested terminal "xterm" of size {80 25} id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin srv/termhandlers.go:77
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU             Set permissions on /dev/pts/7 to 1000:5 with mode -rw-------. srv/term.go:417
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [SESSION:N] Unable to update window size, no session found in context. srv/sess.go:342
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU             Will create new session for SSH connection public-ip:443. srv/ctx.go:558
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Handling request shell, want reply true. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1517
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [SESSION:N] Attempting to create session tracker session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:1643
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [SESSION:N] Using async streamer for session session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:1227
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z INFO [NODE]      Creating (interactive) session 4e69f722-b7de-481d-b142-d1384605c41b. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin srv/sess.go:260
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [SESSION:N] Tracking participant: 82dc27ac-1d60-40af-8ac3-1ed3c0b0f879 session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:1437
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z INFO [AUDIT]     session.start addr.remote:public-ip:443 cluster_name:web.teleport.domain.com code:T2000I ei:0 event:session.start initial_command:[] login:username namespace:default proto:ssh server_hostname:loki server_id:9cb30b93-3fb2-4c37-ba8f-0f95632f7caf teleport.internal/resource-id:098db53e-777d-44f2-923d-7ff88bddf0bd session_recording:node sid:4e69f722-b7de-481d-b142-d1384605c41b size:80:25 time:2023-07-26T13:27:28.832Z uid:9ba8d681-0cc7-4427-a1bb-d13d5f2be547 user:admin events/emitter.go:265
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z INFO [SESSION:N] New party ServerContext(public-ip:443->10.1.0.182:56424, user=username, id=1) party(id=82dc27ac-1d60-40af-8ac3-1ed3c0b0f879) joined session session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:1458
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [SESSION:N] Launching session session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:880
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [SESSION:N] Waiting for continue signal session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:996
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [SESSION:N] Got continue signal session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:1001
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU             Will join session 4e69f722-b7de-481d-b142-d1384605c41b for SSH connection public-ip:443. srv/ctx.go:556
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU [NODE]      Handling request window-change, want reply false. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1517
Jul 26 13:27:28 loki teleport[1085537]: 2023-07-26T13:27:28Z DEBU             Will join session 4e69f722-b7de-481d-b142-d1384605c41b for SSH connection public-ip:443. srv/ctx.go:556
Jul 26 13:27:33 loki teleport[1087160]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=username
Jul 26 13:27:36 loki teleport[1087160]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=username
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z DEBU [NODE]      Exec request ("/proc/self/exe") complete: 255 id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin regular/sshserver.go:1497
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z INFO [SESSION:N] Closing party 82dc27ac-1d60-40af-8ac3-1ed3c0b0f879 srv/sess.go:1603
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z INFO [SESSION:N] Removing party ServerContext(public-ip:443->10.1.0.182:56424, user=username, id=1) party(id=82dc27ac-1d60-40af-8ac3-1ed3c0b0f879) from session session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:1263
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z DEBU [SESSION:N] No longer tracking participant: 82dc27ac-1d60-40af-8ac3-1ed3c0b0f879 session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:1271
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z DEBU [NODE]      Releasing associated resources - context has been closed. id:1 local:10.1.0.182:56424 login:username remote:public-ip:443 teleportUser:admin srv/monitor.go:266
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z DEBU [SESSION:N] Copying from Party 82dc27ac-1d60-40af-8ac3-1ed3c0b0f879 to session writer completed with error <nil>. session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:1467
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z DEBU [SSH:NODE]  Closed connection public-ip:443. sshutils/server.go:483
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z DEBU             AgentServer(/tmp/teleport-3249632757/teleport-1085537.socket) is closing teleagent/agent.go:222
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z DEBU [SESSION:N] Session has no active party members. session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:1335
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z INFO [AUDIT]     session.data addr.remote:public-ip:443 code:T2006I ei:2.147483646e+09 event:session.data login:username namespace:default rx:4794 server_id:9cb30b93-3fb2-4c37-ba8f-0f95632f7caf sid:4e69f722-b7de-481d-b142-d1384605c41b time:2023-07-26T13:27:36.189Z tx:5760 uid:0443bc3d-b2cc-4e30-bdcc-52bc58190007 user:admin events/emitter.go:265
Jul 26 13:27:36 loki teleport[1085537]: 2023-07-26T13:27:36Z INFO [AUDIT]     session.leave cluster_name:web.teleport.domain.com code:T2003I ei:4 event:session.leave login:username namespace:default server_hostname:loki server_id:9cb30b93-3fb2-4c37-ba8f-0f95632f7caf teleport.internal/resource-id:098db53e-777d-44f2-923d-7ff88bddf0bd sid:4e69f722-b7de-481d-b142-d1384605c41b time:2023-07-26T13:27:36.189Z uid:e71f563a-a7f0-4e26-b468-a19db605da5e user:admin events/emitter.go:265
Jul 26 13:27:41 loki teleport[1085537]: 2023-07-26T13:27:41Z ERRO [SESSION:N] Timed out waiting for PTY copy to finish, session data  may be missing. session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:1023
Jul 26 13:27:41 loki teleport[1085537]: 2023-07-26T13:27:41Z INFO [SESSION:N] Stopping session session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:627
Jul 26 13:27:41 loki teleport[1085537]: 2023-07-26T13:27:41Z DEBU [TERM:LOCA] Closing TTY srv/term.go:272
Jul 26 13:27:41 loki teleport[1085537]: 2023-07-26T13:27:41Z DEBU [TERM:LOCA] Closed TTY srv/term.go:290
Jul 26 13:27:41 loki teleport[1085537]: 2023-07-26T13:27:41Z INFO [AUDIT]     session.end addr.remote:public-ip:443 cluster_name:web.teleport.domain.com code:T2004I ei:5 enhanced_recording:false event:session.end interactive:true login:username namespace:default participants:[admin] proto:ssh server_hostname:loki server_id:9cb30b93-3fb2-4c37-ba8f-0f95632f7caf teleport.internal/resource-id:098db53e-777d-44f2-923d-7ff88bddf0bd session_recording:node session_start:2023-07-26T13:27:28.805346633Z session_stop:2023-07-26T13:27:41.163832167Z sid:4e69f722-b7de-481d-b142-d1384605c41b time:2023-07-26T13:27:41.164Z uid:9f69062f-9555-4f7f-8001-77ddfa834a14 user:admin events/emitter.go:265
Jul 26 13:27:41 loki teleport[1085537]: 2023-07-26T13:27:41Z DEBU [SESSION:N] Copying from PTY to writer completed with error read /dev/ptmx: input/output error. session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:926
Jul 26 13:27:41 loki teleport[1085537]: 2023-07-26T13:27:41Z DEBU [SESSION:N] Copying from reader to PTY completed with error <nil>. session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:934
Jul 26 13:27:41 loki teleport[1085537]: 2023-07-26T13:27:41Z DEBU [TERM:LOCA] Closed PTY srv/term.go:310
Jul 26 13:27:41 loki teleport[1085537]: 2023-07-26T13:27:41Z INFO [SESSION:N] Closing session session_id:4e69f722-b7de-481d-b142-d1384605c41b srv/sess.go:656
Jul 26 13:27:42 loki teleport[1085537]: 2023-07-26T13:27:42Z DEBU [UPLOAD]    Scanned 1 uploads, started 1, found 0 corrupted in /var/lib/teleport/log/upload/streaming/default. filesessions/fileasync.go:270
Jul 26 13:27:42 loki teleport[1085537]: 2023-07-26T13:27:42Z DEBU [UPLOAD]    Session upload completed. duration:44.298757ms session-id:4e69f722-b7de-481d-b142-d1384605c41b filesessions/fileasync.go:436
@badsmoke badsmoke added the bug label Jul 26, 2023
@zmb3 zmb3 added the PAM Label related to Pluggable Authentication Module (PAM) Submethod. label Jul 26, 2023
@webvictim
Copy link
Contributor

I'm confused as to what you expect to happen by enabling the use of the PAM auth stack - could you explain what your desired outcome is, and what happens if you connect to the same node using sshd?

@badsmoke
Copy link
Author

i am trying to force a password entry (yes i know the cool feature of teleport is not needing passwords)

but in our particular case, entering the password of the local user is important.

@webvictim
Copy link
Contributor

How is your PAM stack configured?

My guess is that it's returning some kind of error when Teleport tries to call it - you should turn your Teleport log level up to DEBUG and look at the process logs. It's also probably worth checking /var/log/messages or /var/log/auth.log to look for PAM errors.

@badsmoke
Copy link
Author

its the DEBUG level from teleport.

auth.log are only
`Jul 26 18:28:47 loki teleport: pam_unix(teleport:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=username``

my pam is currently simply a sshd-pam copy

@programmerq
Copy link
Contributor

I experimented with the PAM auth stuff, and Teleport doesn't appear to properly support PAM interactive challenges. Teleport seems to hook up stdin directly to the PAM challenge, and does not quite pass the input correctly. I tried with pam_unix.so (password auth) and a PAM auth module that requires the user to input an OTP code. In both cases, the module would fail.

Other auth modules that do not require interactive messages did work correctly when teleport's PAM auth was enabled. For example, I was able to individually get the following to work because they don't require any user interaction:

auth required pam_listfile.so item=user sense=allow file=/etc/teleport-allow # requries the user to be listed in the file
auth required pam_ssh_agent_auth.so file=~/.ssh/authorized_keys,debug # requries ssh agent forwarding with a trusted key

I am curious why you need a user password in addition to teleport credentials. It doesn't sound like a typical use case. Extra background info on why you have this requirement might help find an alternate approach to satisfy the requirement. Is there a specific audit requirement you are trying to satisfy?

@badsmoke
Copy link
Author

thank you for testing it.

in our particular case, we supply our hardware (our pc) and the customer runs the teleport server (which is connected to ours).
The customer should only have access to the applications (the web interface), while we still need to have access via ssh in case of support. The customer should not have the possibility to access the console, but we have to.

@zmb3 zmb3 changed the title use_pam_auth doesn't work use_pam_auth doesn't work with interactive password input Aug 2, 2023
@rosstimothy rosstimothy mentioned this issue Nov 21, 2024
Closed
@programmerq
Copy link
Contributor

Fixed by #49487

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug PAM Label related to Pluggable Authentication Module (PAM) Submethod.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@programmerq @webvictim @zmb3 @badsmoke