Too low OIDC information for debugging

[vaminakov]

I'm trying to configure OIDC (keycloak) with ssh3.
Following to readme, done authorized_identities and oidc_config.json
"issuer_url": "https://keycloakdomain/realms/master"

When trying connect to server with parameters:
.\ssh3.exe -use-oidc https://keycloakdomain/realms/master user@server/verysecret

Getting error:
ERR could not establish SSH3 conversation: no suitable identity found

Which identity wanted by server? In which scopes and parameters it looking for? Verbose flag can't answer this questions. For now it's impossible to debug this feature :(

[francoismichel]

Folliwing this issue, commit 3c97486 adds more logging to help debugging the auth process.

An error so early in the process makes me think that either the OIDC config file is in cause or the issuer url specified in the CLI does not exactly match the one in the OIDC config file.

Can you try again with the main branch and let me know the result ?

[shizzgar]

Hi francoismichel!
I have build from main branch and this is my current log:

9:54PM DBG version 0.1.5-rc5
9:54PM DBG open OIDC config from /home/user/.ssh3/oidc_config.json
9:54PM DBG successfully parsed OIDC config
9:54PM DBG add OIDC auth, 1 issuers in configs
9:54PM DBG issuer https://eiam.example.com/realms/example-stands-vpn/.well-known/openid-configuration does not match issuer URL https://eiam.example.com/realms/example-stands-vpn specified in the command-line
9:54PM DBG dialing QUIC host at 172.19.232.98:444 
2024/01/11 21:54:52 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
9:54PM DBG QUIC handshake complete
9:54PM ERR could not dial stand1.example.com:444/testssh3: no suitable identity found

How can i make logs be more verbose?
I want to use keycloak as my oidc provider too.

[vaminakov]

I was able to successfully log in using keycloak as OIDC provider.

1. Make new client in keycloak with default settings (enable auth) and add localhost as valid redirect url (is that security risk?)
2. Add to .ssh3/authorized_identities in server
   oidc KEYCLOAK_CLIENT_ID https://KEYCLOAK_DOMAIN/realms/master SERVER_USER
3. Add to .ssh3/oidc_config.json in client

[
    {
        "issuer_url": "https://KEYCLOAK_DOMAIN/realms/master",
        "client_id": "KEYCLOAK_CLIENT_ID",
        "client_secret": "SECRET"
    }
]

Then
./ssh3 -use-oidc https://KEYCLOAK_DOMAIN/realms/master user@server:port/uri

BUT

1. client parameters MUST be before server part, if you make -v or -use-oidc in the end, it will not work
2. ssh3-server does NOT check local user in .ssh3/authorized_identities (only oidc user), so you may login as ANY user in server, this is a very security risk. Maybe good idea to add additional parameter in authorized_identities - local user, in which allowed to login?

[vaminakov]

And another idea. I don't think that storing client id and secret in client part is good - maybe it should be in server, and it send technical info to client while handshaking? So client only need to do ./ssh3 -use-oidc user@server:port/uri and depending on "user", server will send some info to client from its oidc_config.json.

[shizzgar]

vaminakov, could you pleas give a keycloak configuration page screenshot?
What params exactly did you use? I can't set keycloak params properly to make it work...
I set all things as in your instruction, but now i'm gettng unauthorized error...

./ssh3 -use-oidc https://keycloak.example.com/realms/example -v server/ssh
5:55PM DBG version 0.1.5-rc5
5:55PM DBG no OIDC config file specified, use default file: /home/user/.ssh3/oidc_config.json
5:55PM DBG successfully parsed OIDC config
5:55PM DBG add OIDC auth, 1 issuers in configs
5:55PM DBG found issuer https://keycloak.example.com/realms/example matching the issuer specified in the command-line
5:55PM DBG dialing QUIC host at 172.19.232.98:444
2024/01/12 17:55:33 failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
5:55PM DBG QUIC handshake complete
5:55PM DBG try OIDC auth to issuer https://keycloak.example.com/realms/example
5:55PM DBG spawning browser at https://keycloak.example.com/realms/example/protocol/openid-connect/auth?client_id=ssh3-oidc&redirect_uri=http%3A%2F%2Flocalhost%3A34193%2Fssh%2F882a56e197d712b2760ce7f0c20555d4b9887a9a195ef85626e0bd9177984667c3dd6b54bb4b3afeaf4ff80c8f2eaacdead17f9060a7a54a28dca05c33295009&response_type=code&scope=openid+email&state=state

5:55PM DBG got token: someTokenReturnedFromKK
5:55PM DBG we only try the first specified auth method for now
5:55PM DBG try the following Identity: raw-bearer-identity
5:55PM DBG send CONNECT request to the server
5:55PM ERR Access denied from the server: unauthorized
5:55PM ERR could not dial server.example.com:444/ssh: Unauthorized

[shizzgar]

francoismichel, Also how to specify folder/file, where server logs should be stored?
And is where any ability to increase server logs verbosity?
UPD: Thanks, i get it: #68 (comment), but this is the same as -v flag. Could you add some more info in logging?

[francoismichel]

francoismichel, Also how to specify folder/file, where server logs should be stored?
You can do so by setting the SSH3_LOG_FILE environment variable. By default it is /var/log/ssh3.log.

Could you add some more info in logging?
Can You provide an example of logging you already have and that does not allow debugging the error ? That will help me to know what additional logging is needed.

[francoismichel]

ssh3-server does NOT check local user in .ssh3/authorized_identities (only oidc user), so you may login as ANY user in server, this is a very security risk. Maybe good idea to add additional parameter in authorized_identities - local user, in which allowed to login?

The server only checks the .ssh3/authorized_identities of the local user. If you log as the user my-user, the server only reads the identities file under /home/my-user/.ssh3/authorized_identities, so one can only log as the my-user local user if the OIDC identity line is only present in /home/my-user/.ssh3/authorized_identities.

[francoismichel]

And another idea. I don't think that storing client id and secret in client part is good - maybe it should be in server, and it send technical info to client while handshaking? So client only need to do ./ssh3 -use-oidc user@server:port/uri and depending on "user", server will send some info to client from its oidc_config.json.

I agree that storing the client/secret combo in a file on the client is a bad idea. There are several solutions I thought of. Your proposition is a good candidate. Another idea would be to rely on the operating system's secure keyring.

[vaminakov]

@shizzgar
Are you sure that your config files: authorized_identities in server and oidc_config.json in client are configured as I wrote?
I checked by example in another instance, and all is working. Keycloak client parametes is default, except "Client authentication" is on.

[shizzgar]

@shizzgar Are you sure that your config files: authorized_identities in server and oidc_config.json in client are configured as I wrote? I checked by example in another instance, and all is working. Keycloak client parametes is default, except "Client authentication" is on.

Thanks, i'll try today again)

[almereyda]

@vaminakov I was unable to configure a generic redirect URI that would be matched positively. See:

• Static redirect URIs required by OIDC specification #140

Would you be able to provide a complete walkthrough that allowed you to login to SSH3 successfully via OIDC? Unfortunately the existing documentation is a little sparse around configuring the OIDC provider according to the specification, in so that it is compatible with what the SSH3 server and client expect.