Cannot SSH to SAC SSH Application with username and password credentials only
Article ID: 265253
Updated On: 01-22-2024
Products
Issue/Introduction
Admin deployed SAC Connector and tested Web and RDP applications without issues.
When deploying SSH applications, it appears that all SSH communications require private key authentication which isn't applicable with back-end servers - which require a username and password to be inputted for SSH server access at internal locations.
The back-end servers cannot accept PKI authentication. The organization has 200+ SSH Services including Cisco/Juniper Routers/switches, different Firewall types and other devices. It is a major hassle and effort to install a public key at each SSH Server.
Followed the SAC documentation to enable SSH sessions to back-end servers with username/password authentication but SSH connections still fail after entering the Access Token with the following message:
Received disconnect from x.x.x.x port 22:14: The good news, you are authorized to access the application.
However, the requested application authentication failed, due to Public Key Authentication method failure on target resource.
SAC admin logs showed:
SSH failure due to "Could not authenticate on the target machine where only Public Key Authentication was Configured".
Environment
SAC SSH Applications.
SSH access with username/password only.
Cause
SSHD setup erroring out due to misconfiguration.
Resolution
Make sure that the SSHD_CONFIG (per the doc links above) includes the following entries:
PasswordAuthentication yes
ChallengeResponseAuthentication yes
AuthenticationMethods password keyboard-interactive
These entries existed in our case, but we also had to change another KbdInteractiveAuthentication flag (which deprecates ChallengeResponseAuthentication)
KbdInteractiveAuthentication yes
Important:
Keyboard-Interactive Authentication must be enabled. Authenticating to SAC using either a one-time token or an SSH key requires password authentication to the SSH server as a second authentication factor.
Additional Information
SSHD troubleshooting can benefit from enabling more verbose log levels on the SSHD server using the LogLevel directive.
Enabling in the above case, we found the following entry before the error reported the screen was also logged that gave a clue:
Mar 10 11:26:24 sac-tst sshd[2381]: error: Disabled method "keyboard-interactive" in AuthenticationMethods list "keyboard-interactive"
As soon as we enabled it, all worked fine.
Feedback
