-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Too low OIDC information for debugging #99
Comments
Folliwing this issue, commit 3c97486 adds more logging to help debugging the auth process. An error so early in the process makes me think that either the OIDC config file is in cause or the issuer url specified in the CLI does not exactly match the one in the OIDC config file. Can you try again with the main branch and let me know the result ? |
Hi francoismichel!
How can i make logs be more verbose? |
I was able to successfully log in using keycloak as OIDC provider.
Then BUT
|
And another idea. I don't think that storing client id and secret in client part is good - maybe it should be in server, and it send technical info to client while handshaking? So client only need to do |
vaminakov, could you pleas give a keycloak configuration page screenshot? ./ssh3 -use-oidc https://keycloak.example.com/realms/example -v server/ssh
5:55PM DBG version 0.1.5-rc5
5:55PM DBG no OIDC config file specified, use default file: /home/user/.ssh3/oidc_config.json
5:55PM DBG successfully parsed OIDC config
5:55PM DBG add OIDC auth, 1 issuers in configs
5:55PM DBG found issuer https://keycloak.example.com/realms/example matching the issuer specified in the command-line
5:55PM DBG dialing QUIC host at 172.19.232.98:444
2024/01/12 17:55:33 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
5:55PM DBG QUIC handshake complete
5:55PM DBG try OIDC auth to issuer https://keycloak.example.com/realms/example
5:55PM DBG spawning browser at https://keycloak.example.com/realms/example/protocol/openid-connect/auth?client_id=ssh3-oidc&redirect_uri=http%3A%2F%2Flocalhost%3A34193%2Fssh%2F882a56e197d712b2760ce7f0c20555d4b9887a9a195ef85626e0bd9177984667c3dd6b54bb4b3afeaf4ff80c8f2eaacdead17f9060a7a54a28dca05c33295009&response_type=code&scope=openid+email&state=state
5:55PM DBG got token: someTokenReturnedFromKK
5:55PM DBG we only try the first specified auth method for now
5:55PM DBG try the following Identity: raw-bearer-identity
5:55PM DBG send CONNECT request to the server
5:55PM ERR Access denied from the server: unauthorized
5:55PM ERR could not dial server.example.com:444/ssh: Unauthorized |
francoismichel, Also how to specify folder/file, where server logs should be stored? |
|
The server only checks the |
I agree that storing the client/secret combo in a file on the client is a bad idea. There are several solutions I thought of. Your proposition is a good candidate. Another idea would be to rely on the operating system's secure keyring. |
@shizzgar |
Thanks, i'll try today again) |
@vaminakov I was unable to configure a generic redirect URI that would be matched positively. See: Would you be able to provide a complete walkthrough that allowed you to login to SSH3 successfully via OIDC? Unfortunately the existing documentation is a little sparse around configuring the OIDC provider according to the specification, in so that it is compatible with what the SSH3 server and client expect. |
I'm trying to configure OIDC (keycloak) with ssh3.
Following to readme, done authorized_identities and oidc_config.json
"issuer_url": "https://keycloakdomain/realms/master"
When trying connect to server with parameters:
.\ssh3.exe -use-oidc https://keycloakdomain/realms/master user@server/verysecret
Getting error:
ERR could not establish SSH3 conversation: no suitable identity found
Which identity wanted by server? In which scopes and parameters it looking for? Verbose flag can't answer this questions. For now it's impossible to debug this feature :(
The text was updated successfully, but these errors were encountered: