LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-16-2017, 09:56 AM   #1
XenCsam
LQ Newbie
 
Registered: Oct 2017
Location: Internet
Distribution: CentOS, Linux Mint
Posts: 4

Rep: Reputation: Disabled
SSH/Console login require full FQDN only, Want to change it to username or sAMACCOUNTNAME


Hello and thanks for having me.

I have been working on this problem for the last 2 week and not getting anywhere.

Current I have a bunch of centos/redhat vm that I have built that are Domain join. Allowed users can long in but required to log in with their FQDN (username@domain.local). This is fine and all up until now. Due to some policy change I will need to setup 2 factor using radius. The radius server is all set and 2 factor is all set. The problem I am having is that it has issue with the FQDN. I need to somehow convert fqdn login to using username without the @domain.local. Any suggestion will be helpful.

I am thinking I am missing something in either the sssd.config or/and nsswitch.conf


Thanks
 
Old 10-16-2017, 12:21 PM   #2
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,267

Rep: Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495
Quote:
Originally Posted by XenCsam View Post
Hello and thanks for having me.

I have been working on this problem for the last 2 week and not getting anywhere.

Current I have a bunch of centos/redhat vm that I have built that are Domain join. Allowed users can long in but required to log in with their FQDN (username@domain.local). This is fine and all up until now. Due to some policy change I will need to setup 2 factor using radius. The radius server is all set and 2 factor is all set. The problem I am having is that it has issue with the FQDN. I need to somehow convert fqdn login to using username without the @domain.local. Any suggestion will be helpful.

I am thinking I am missing something in either the sssd.config or/and nsswitch.conf


Thanks
Welcome to LQ!

It's possible to work without specifying the username,
Code:
ssh somedomain.com
 or 
ssh someIP_address
and getting a username prompt from the remote computer, but I can't think of a way to ssh to some other server without specifying the name of the remote computer...how else will the ssh client know where to connect?

Last edited by scasey; 10-16-2017 at 12:22 PM.
 
Old 10-16-2017, 02:53 PM   #3
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 13,229
Blog Entries: 9

Rep: Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617
you can define hosts aliases in ~/.ssh/config:
Code:
Host yourshortcuthere
  HostName xx.xx.x.xxx
  Port nnnnn
  User username
  ControlMaster options...
  ControlPersist options...
  Compression yes
  AddressFamily inet
  IdentitiesOnly yes
  IdentityFile /path/to/...
 
Old 10-16-2017, 07:39 PM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.7.1908
Posts: 4,267

Rep: Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495Reputation: 1495
Quote:
Originally Posted by ondoho View Post
you can define hosts aliases in ~/.ssh/config:
Code:
Host yourshortcuthere
  HostName xx.xx.x.xxx
  Port nnnnn
  User username
  ControlMaster options...
  ControlPersist options...
  Compression yes
  AddressFamily inet
  IdentitiesOnly yes
  IdentityFile /path/to/...
Cool. Did not know that (but I prefer to have to enter the userid after the prompt...that's just me) I typically only use ~/.ssh/config to define the remote server's non-standard ssh port so I don't have to remember to type it all the time. Good to learn there's more to it...

So, to do what the OP is asking, the "Host yourshortcuthere" would be the userid? (using the OPs example values...)
Code:
Host username
  HostName domain.local(or the IP address)
  Port nnnnn
  User username
  ...
BUT there could only be one entry in each users' ~/.ssh/config where the Host shortcut was == to the username. Correct?
I suppose one could make the shortcuts username1, username2, etc.
[Assumption that since there is "a bunch of" of VMs, there may be several remote hosts for each user]

Then
Code:
ssh username
would know the server (and port,etc) Very cool.
 
Old 10-17-2017, 02:37 AM   #5
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 13,229
Blog Entries: 9

Rep: Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617
sorry, i realise now that my explanation fell a little short.

yes, for each unique "yourshortcuthere" defined, i can then use ssh like this:
Code:
ssh yourshortcuthere
instead of typing out the whole thing with port numbers, usernames etc.
it may not be an exact solution to op's problem.
 
Old 10-17-2017, 09:13 AM   #6
XenCsam
LQ Newbie
 
Registered: Oct 2017
Location: Internet
Distribution: CentOS, Linux Mint
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ondoho View Post
sorry, i realise now that my explanation fell a little short.

yes, for each unique "yourshortcuthere" defined, i can then use ssh like this:
Code:
ssh yourshortcuthere
instead of typing out the whole thing with port numbers, usernames etc.
it may not be an exact solution to op's problem.
I like that idea but I dont think it going to work for the 2 factor. The reason why I cannot use the full fqdn is because radius only work with username/sAMACCOUNT. As of right now there are maybe 5 users that this need to work for. Going forward it may increase and not limited to just linux box (centos, redhat, bsd). It has to work on our cisco network equipment and hypervisor. Not a fun task but I have until January to get this completed.

Isnt there something or somewhat using SSsD.conf or nsswitch.conf to allow both form or tell it accept and search ad?
 
Old 10-17-2017, 09:29 AM   #7
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,160

Rep: Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369
ssh does not require the "USER@HOST" syntax, it is only the most convenient usage. There is also the usage
Code:
ssh -l USER hostname
which may or may not have the result you are seeking. It is a bit confusing to me how radius is getting the "USER@HOST" string or what requires this syntax.

I would dive into the man pages and documentation, check logs, run some tests, and see if I can tell what is really going on here.
 
Old 10-17-2017, 11:01 AM   #8
XenCsam
LQ Newbie
 
Registered: Oct 2017
Location: Internet
Distribution: CentOS, Linux Mint
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by wpeckham View Post
ssh does not require the "USER@HOST" syntax, it is only the most convenient usage. There is also the usage
Code:
ssh -l USER hostname
which may or may not have the result you are seeking. It is a bit confusing to me how radius is getting the "USER@HOST" string or what requires this syntax.

I would dive into the man pages and documentation, check logs, run some tests, and see if I can tell what is really going on here.
The Radius part works but the linux box denies because the users is invalid. It only can find the user based on the @domain.local were as radus is the opposite. I cannot change the radius side of thing but I can with the linux box.

I checked with centos forum but nothing so far on their end either. I should open a ticket with redhat to see if they have any suggestion.
 
Old 10-17-2017, 11:38 AM   #9
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,893

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
I once saw a historic Unix OS from ~1974, and the entire internet was in /etc/hosts, which was 200kb, and dns didn't exist then. These days dns looks after the internet, but you still have name --> fqdn functionality in /etc/hosts Just copy an existing line with info in the same order, i.e.
<IPV4-address> <FQDN> <alias>
 
1 members found this post helpful.
Old 10-17-2017, 04:42 PM   #10
XenCsam
LQ Newbie
 
Registered: Oct 2017
Location: Internet
Distribution: CentOS, Linux Mint
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by business_kid View Post
I once saw a historic Unix OS from ~1974, and the entire internet was in /etc/hosts, which was 200kb, and dns didn't exist then. These days dns looks after the internet, but you still have name --> fqdn functionality in /etc/hosts Just copy an existing line with info in the same order, i.e.
<IPV4-address> <FQDN> <alias>
Got to love how that all work. I finally figured out... I overlooked the simplest thing.

All I had to do was this in sssd.conf
Code:
use_fully_qualified_names = False
fallback_homedir = /home/%u
Originally it was this:
Code:
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
Thanks to all you guys for your suggestion... Where the solve button?
 
Old 10-18-2017, 02:19 AM   #11
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 13,229
Blog Entries: 9

Rep: Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617Reputation: 3617
Quote:
Originally Posted by XenCsam View Post
Where the solve button?
yes, this question comes up a lot.
maybe a picture can help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual console login - Remember username? auser Linux - Newbie 1 05-18-2013 12:48 AM
How to change Ubuntu 12.04 login screen to require full credentials? taylorkh Ubuntu 5 06-07-2012 01:01 PM
[SOLVED] Remote SSH Login Require User Password Change jbarcia Linux - Security 1 02-28-2012 03:00 AM
Sendmail - Require FQDN inbound arctjg Linux - Server 1 06-25-2008 02:02 AM
Change username on login screen Patie Linux - Newbie 2 01-19-2006 11:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration