Hello and thanks for having me.

I have been working on this problem for the last 2 week and not getting anywhere.

Current I have a bunch of centos/redhat vm that I have built that are Domain join. Allowed users can long in but required to log in with their FQDN (username@domain.local). This is fine and all up until now. Due to some policy change I will need to setup 2 factor using radius. The radius server is all set and 2 factor is all set. The problem I am having is that it has issue with the FQDN. I need to somehow convert fqdn login to using username without the @domain.local. Any suggestion will be helpful.

I am thinking I am missing something in either the sssd.config or/and nsswitch.conf


Thanks

Welcome to LQ!

It's possible to work without specifying the username, and getting a username prompt from the remote computer, but I can't think of a way to ssh to some other server without specifying the name of the remote computer...how else will the ssh client know where to connect?

you can define hosts aliases in ~/.ssh/config:

Cool. Did not know that (but I prefer to have to enter the userid after the prompt...that's just me) I typically only use ~/.ssh/config to define the remote server's non-standard ssh port so I don't have to remember to type it all the time. Good to learn there's more to it...

So, to do what the OP is asking, the "Host yourshortcuthere" would be the userid? (using the OPs example values...)
BUT there could only be one entry in each users' ~/.ssh/config where the Host shortcut was == to the username. Correct?
I suppose one could make the shortcuts username1, username2, etc.
[Assumption that since there is "a bunch of" of VMs, there may be several remote hosts for each user]

Then would know the server (and port,etc) Very cool.

sorry, i realise now that my explanation fell a little short.

yes, for each unique "yourshortcuthere" defined, i can then use ssh like this:instead of typing out the whole thing with port numbers, usernames etc.
it may not be an exact solution to op's problem.

I like that idea but I dont think it going to work for the 2 factor. The reason why I cannot use the full fqdn is because radius only work with username/sAMACCOUNT. As of right now there are maybe 5 users that this need to work for. Going forward it may increase and not limited to just linux box (centos, redhat, bsd). It has to work on our cisco network equipment and hypervisor. Not a fun task but I have until January to get this completed.

Isnt there something or somewhat using SSsD.conf or nsswitch.conf to allow both form or tell it accept and search ad?

ssh does not require the "USER@HOST" syntax, it is only the most convenient usage. There is also the usage which may or may not have the result you are seeking. It is a bit confusing to me how radius is getting the "USER@HOST" string or what requires this syntax.

I would dive into the man pages and documentation, check logs, run some tests, and see if I can tell what is really going on here.

The Radius part works but the linux box denies because the users is invalid. It only can find the user based on the @domain.local were as radus is the opposite. I cannot change the radius side of thing but I can with the linux box.

I checked with centos forum but nothing so far on their end either. I should open a ticket with redhat to see if they have any suggestion.

I once saw a historic Unix OS from ~1974, and the entire internet was in /etc/hosts, which was 200kb, and dns didn't exist then. These days dns looks after the internet, but you still have name --> fqdn functionality in /etc/hosts Just copy an existing line with info in the same order, i.e.
<IPV4-address> <FQDN> <alias>

1 members found this post helpful.

Got to love how that all work. I finally figured out... I overlooked the simplest thing.

All I had to do was this in sssd.conf
Originally it was this:
Thanks to all you guys for your suggestion... Where the solve button?

yes, this question comes up a lot.
maybe a picture can help.