LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SSH/Console login require full FQDN only, Want to change it to username or sAMACCOUNTNAME (https://www.linuxquestions.org/questions/linux-newbie-8/ssh-console-login-require-full-fqdn-only-want-to-change-it-to-username-or-samaccountname-4175615755/)

XenCsam 10-16-2017 09:56 AM
SSH/Console login require full FQDN only, Want to change it to username or sAMACCOUNTNAME
 
Hello and thanks for having me.

I have been working on this problem for the last 2 week and not getting anywhere.

Current I have a bunch of centos/redhat vm that I have built that are Domain join. Allowed users can long in but required to log in with their FQDN (username@domain.local). This is fine and all up until now. Due to some policy change I will need to setup 2 factor using radius. The radius server is all set and 2 factor is all set. The problem I am having is that it has issue with the FQDN. I need to somehow convert fqdn login to using username without the @domain.local. Any suggestion will be helpful.

I am thinking I am missing something in either the sssd.config or/and nsswitch.conf


Thanks

scasey 10-16-2017 12:21 PM
Quote:
Originally Posted by XenCsam (Post 5770526)
Hello and thanks for having me.

I have been working on this problem for the last 2 week and not getting anywhere.

Current I have a bunch of centos/redhat vm that I have built that are Domain join. Allowed users can long in but required to log in with their FQDN (username@domain.local). This is fine and all up until now. Due to some policy change I will need to setup 2 factor using radius. The radius server is all set and 2 factor is all set. The problem I am having is that it has issue with the FQDN. I need to somehow convert fqdn login to using username without the @domain.local. Any suggestion will be helpful.

I am thinking I am missing something in either the sssd.config or/and nsswitch.conf


Thanks
Welcome to LQ!

It's possible to work without specifying the username,
Code:
ssh somedomain.com
 or
ssh someIP_address
and getting a username prompt from the remote computer, but I can't think of a way to ssh to some other server without specifying the name of the remote computer...how else will the ssh client know where to connect?

ondoho 10-16-2017 02:53 PM
you can define hosts aliases in ~/.ssh/config:
Code:
Host yourshortcuthere
  HostName xx.xx.x.xxx
  Port nnnnn
  User username
  ControlMaster options...
  ControlPersist options...
  Compression yes
  AddressFamily inet
  IdentitiesOnly yes
  IdentityFile /path/to/...

scasey 10-16-2017 07:39 PM
Quote:
Originally Posted by ondoho (Post 5770612)
you can define hosts aliases in ~/.ssh/config:
Code:
Host yourshortcuthere
  HostName xx.xx.x.xxx
  Port nnnnn
  User username
  ControlMaster options...
  ControlPersist options...
  Compression yes
  AddressFamily inet
  IdentitiesOnly yes
  IdentityFile /path/to/...
Cool. Did not know that (but I prefer to have to enter the userid after the prompt...that's just me) I typically only use ~/.ssh/config to define the remote server's non-standard ssh port so I don't have to remember to type it all the time. Good to learn there's more to it...

So, to do what the OP is asking, the "Host yourshortcuthere" would be the userid? (using the OPs example values...)
Code:
Host username
  HostName domain.local(or the IP address)
  Port nnnnn
  User username
  ...
BUT there could only be one entry in each users' ~/.ssh/config where the Host shortcut was == to the username. Correct?
I suppose one could make the shortcuts username1, username2, etc.
[Assumption that since there is "a bunch of" of VMs, there may be several remote hosts for each user]

Then
Code:
ssh username
would know the server (and port,etc) Very cool.

ondoho 10-17-2017 02:37 AM
sorry, i realise now that my explanation fell a little short.

yes, for each unique "yourshortcuthere" defined, i can then use ssh like this:
Code:
ssh yourshortcuthere
instead of typing out the whole thing with port numbers, usernames etc.
it may not be an exact solution to op's problem.

XenCsam 10-17-2017 09:13 AM
Quote:
Originally Posted by ondoho (Post 5770744)
sorry, i realise now that my explanation fell a little short.

yes, for each unique "yourshortcuthere" defined, i can then use ssh like this:
Code:
ssh yourshortcuthere
instead of typing out the whole thing with port numbers, usernames etc.
it may not be an exact solution to op's problem.
I like that idea but I dont think it going to work for the 2 factor. The reason why I cannot use the full fqdn is because radius only work with username/sAMACCOUNT. As of right now there are maybe 5 users that this need to work for. Going forward it may increase and not limited to just linux box (centos, redhat, bsd). It has to work on our cisco network equipment and hypervisor. Not a fun task but I have until January to get this completed.

Isnt there something or somewhat using SSsD.conf or nsswitch.conf to allow both form or tell it accept and search ad?

wpeckham 10-17-2017 09:29 AM
ssh does not require the "USER@HOST" syntax, it is only the most convenient usage. There is also the usage
Code:
ssh -l USER hostname
which may or may not have the result you are seeking. It is a bit confusing to me how radius is getting the "USER@HOST" string or what requires this syntax.

I would dive into the man pages and documentation, check logs, run some tests, and see if I can tell what is really going on here.

XenCsam 10-17-2017 11:01 AM
Quote:
Originally Posted by wpeckham (Post 5770882)
ssh does not require the "USER@HOST" syntax, it is only the most convenient usage. There is also the usage
Code:
ssh -l USER hostname
which may or may not have the result you are seeking. It is a bit confusing to me how radius is getting the "USER@HOST" string or what requires this syntax.

I would dive into the man pages and documentation, check logs, run some tests, and see if I can tell what is really going on here.
The Radius part works but the linux box denies because the users is invalid. It only can find the user based on the @domain.local were as radus is the opposite. I cannot change the radius side of thing but I can with the linux box.

I checked with centos forum but nothing so far on their end either. I should open a ticket with redhat to see if they have any suggestion.

business_kid 10-17-2017 11:38 AM
I once saw a historic Unix OS from ~1974, and the entire internet was in /etc/hosts, which was 200kb, and dns didn't exist then. These days dns looks after the internet, but you still have name --> fqdn functionality in /etc/hosts Just copy an existing line with info in the same order, i.e.
<IPV4-address> <FQDN> <alias>

XenCsam 10-17-2017 04:42 PM
Quote:
Originally Posted by business_kid (Post 5770939)
I once saw a historic Unix OS from ~1974, and the entire internet was in /etc/hosts, which was 200kb, and dns didn't exist then. These days dns looks after the internet, but you still have name --> fqdn functionality in /etc/hosts Just copy an existing line with info in the same order, i.e.
<IPV4-address> <FQDN> <alias>
Got to love how that all work. I finally figured out... I overlooked the simplest thing.

All I had to do was this in sssd.conf
Code:
use_fully_qualified_names = False
fallback_homedir = /home/%u
Originally it was this:
Code:
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
Thanks to all you guys for your suggestion... Where the solve button?

ondoho 10-18-2017 02:19 AM
Quote:
Originally Posted by XenCsam (Post 5771056)
Where the solve button?
yes, this question comes up a lot.
maybe a picture can help.


All times are GMT -5. The time now is 07:15 AM.