[SOLVED] SSH/Console login require full FQDN only, Want to change it to username or sAMACCOUNTNAME
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SSH/Console login require full FQDN only, Want to change it to username or sAMACCOUNTNAME
Hello and thanks for having me.
I have been working on this problem for the last 2 week and not getting anywhere.
Current I have a bunch of centos/redhat vm that I have built that are Domain join. Allowed users can long in but required to log in with their FQDN (username@domain.local). This is fine and all up until now. Due to some policy change I will need to setup 2 factor using radius. The radius server is all set and 2 factor is all set. The problem I am having is that it has issue with the FQDN. I need to somehow convert fqdn login to using username without the @domain.local. Any suggestion will be helpful.
I am thinking I am missing something in either the sssd.config or/and nsswitch.conf
I have been working on this problem for the last 2 week and not getting anywhere.
Current I have a bunch of centos/redhat vm that I have built that are Domain join. Allowed users can long in but required to log in with their FQDN (username@domain.local). This is fine and all up until now. Due to some policy change I will need to setup 2 factor using radius. The radius server is all set and 2 factor is all set. The problem I am having is that it has issue with the FQDN. I need to somehow convert fqdn login to using username without the @domain.local. Any suggestion will be helpful.
I am thinking I am missing something in either the sssd.config or/and nsswitch.conf
Thanks
Welcome to LQ!
It's possible to work without specifying the username,
Code:
ssh somedomain.com
or
ssh someIP_address
and getting a username prompt from the remote computer, but I can't think of a way to ssh to some other server without specifying the name of the remote computer...how else will the ssh client know where to connect?
Host yourshortcuthere
HostName xx.xx.x.xxx
Port nnnnn
User username
ControlMaster options...
ControlPersist options...
Compression yes
AddressFamily inet
IdentitiesOnly yes
IdentityFile /path/to/...
Cool. Did not know that (but I prefer to have to enter the userid after the prompt...that's just me) I typically only use ~/.ssh/config to define the remote server's non-standard ssh port so I don't have to remember to type it all the time. Good to learn there's more to it...
So, to do what the OP is asking, the "Host yourshortcuthere" would be the userid? (using the OPs example values...)
Code:
Host username
HostName domain.local(or the IP address)
Port nnnnn
User username
...
BUT there could only be one entry in each users' ~/.ssh/config where the Host shortcut was == to the username. Correct?
I suppose one could make the shortcuts username1, username2, etc.
[Assumption that since there is "a bunch of" of VMs, there may be several remote hosts for each user]
sorry, i realise now that my explanation fell a little short.
yes, for each unique "yourshortcuthere" defined, i can then use ssh like this:
Code:
ssh yourshortcuthere
instead of typing out the whole thing with port numbers, usernames etc.
it may not be an exact solution to op's problem.
I like that idea but I dont think it going to work for the 2 factor. The reason why I cannot use the full fqdn is because radius only work with username/sAMACCOUNT. As of right now there are maybe 5 users that this need to work for. Going forward it may increase and not limited to just linux box (centos, redhat, bsd). It has to work on our cisco network equipment and hypervisor. Not a fun task but I have until January to get this completed.
Isnt there something or somewhat using SSsD.conf or nsswitch.conf to allow both form or tell it accept and search ad?
ssh does not require the "USER@HOST" syntax, it is only the most convenient usage. There is also the usage
Code:
ssh -l USER hostname
which may or may not have the result you are seeking. It is a bit confusing to me how radius is getting the "USER@HOST" string or what requires this syntax.
I would dive into the man pages and documentation, check logs, run some tests, and see if I can tell what is really going on here.
ssh does not require the "USER@HOST" syntax, it is only the most convenient usage. There is also the usage
Code:
ssh -l USER hostname
which may or may not have the result you are seeking. It is a bit confusing to me how radius is getting the "USER@HOST" string or what requires this syntax.
I would dive into the man pages and documentation, check logs, run some tests, and see if I can tell what is really going on here.
The Radius part works but the linux box denies because the users is invalid. It only can find the user based on the @domain.local were as radus is the opposite. I cannot change the radius side of thing but I can with the linux box.
I checked with centos forum but nothing so far on their end either. I should open a ticket with redhat to see if they have any suggestion.
I once saw a historic Unix OS from ~1974, and the entire internet was in /etc/hosts, which was 200kb, and dns didn't exist then. These days dns looks after the internet, but you still have name --> fqdn functionality in /etc/hosts Just copy an existing line with info in the same order, i.e.
<IPV4-address> <FQDN> <alias>
I once saw a historic Unix OS from ~1974, and the entire internet was in /etc/hosts, which was 200kb, and dns didn't exist then. These days dns looks after the internet, but you still have name --> fqdn functionality in /etc/hosts Just copy an existing line with info in the same order, i.e.
<IPV4-address> <FQDN> <alias>
Got to love how that all work. I finally figured out... I overlooked the simplest thing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.