Ubuntu: AADSTS50074: UserStrongAuthClientAuthNRequiredInterrupt

[barkermn01]

So Authentication via SSH is doing something strange:

As you will see it's asking for password twice without any feedback in-between, this account does have MFA enabled the himmelblau, logs state himmelblaud[11369]: 00000000-0000-0000-0000-000000000000 ERROR 🚨 [error]: AADSTSError( (AADSTSError { code: 50074, description: "AADSTS50074: UserStrongAuthClientAuthNRequiredInterrupt - Strong authentication is required and the user did not pass the MFA challenge." })

At no point is it asking me for my MFA token, I have verified there is no lDP on our domain, we stay on login.microsoftonline.com all the way though the login process, unsure what is going wrong here. tried both with and without hello being enabled.

Things i have tried, using full email address & not (so just username), when asking for password twice first time i tried the same password from my password manager twice, one after the other, second time i tried using password on the first one and then MFA code for the second same result Access Denied and same error in the logs for Himmelblau

[dmulder]

The config in ./platform/debian/sshd_config needs to be installed to /etc/ssh/sshd_config.d/himmelblau.conf. This needs to be added to the Makefile.

[dmulder]

This should be resolved by #256

[barkermn01]

I checked that before opening issue and all it did was turn on KbdInteractiveAuthentication. however, I already have that turned on in my /etc/ssh/sshd_config so this file copy won't make a difference

[barkermn01]

Also verified by restarting server, that setting is not the problem in this, I'm not sure what is causing this problem @dmulder

[dmulder]

Interesting, try the work around found in https://github.com/himmelblau-idm/himmelblau/wiki/OpenSSH-Bug-2876-%E2%80%90--Unable-to-use-MFA-over-SSH-%E2%80%90-Workaround
I wonder if the Amazon version is missing that patch.

[barkermn01]

Interesting, try the work around found in https://github.com/himmelblau-idm/himmelblau/wiki/OpenSSH-Bug-2876-%E2%80%90--Unable-to-use-MFA-over-SSH-%E2%80%90-Workaround I wonder if the Amazon version is missing that patch.

So i had not because Ubuntu 24.04, so i would have assumed i had the patch for OpenSSH, but i have tried it now and it did not help at all exactly the same thing

auth.log

2024-10-15T18:05:17.042027+00:00 ip-10-1-1-61 sshd[2119]: Invalid user martin.barker from 10.5.0.3 port 61113
2024-10-15T18:05:17.078665+00:00 ip-10-1-1-61 sshd[2119]: Postponed keyboard-interactive for invalid user martin.barker from 10.5.0.3 port 61113 ssh2 [preauth]
2024-10-15T18:05:28.805551+00:00 ip-10-1-1-61 sshd[2119]: Postponed keyboard-interactive/pam for invalid user martin.barker from 10.5.0.3 port 61113 ssh2 [preauth]
2024-10-15T18:05:34.930078+00:00 ip-10-1-1-61 sshd[2121]: pam_unix(sshd:auth): check pass; user unknown
2024-10-15T18:05:34.930271+00:00 ip-10-1-1-61 sshd[2121]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.5.0.3
2024-10-15T18:05:37.052727+00:00 ip-10-1-1-61 sshd[2119]: error: PAM: Authentication failure for illegal user martin.barker from 10.5.0.3
2024-10-15T18:05:37.053066+00:00 ip-10-1-1-61 sshd[2119]: Failed keyboard-interactive/pam for invalid user martin.barker from 10.5.0.3 port 61113 ssh2
2024-10-15T18:05:37.087729+00:00 ip-10-1-1-61 sshd[2119]: Postponed keyboard-interactive for invalid user martin.barker from 10.5.0.3 port 61113 ssh2 [preauth]

journalctrl:

Oct 15 18:05:28 ip-10-1-1-61 himmelblaud[1662]: 00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: AADSTSError(AADSTSError { code: 50074, description: "AADSTS50074: UserStrongAuthClientAuthNRequiredInterrupt - Strong authentication is required and the user did not pass the MFA challenge." })
Oct 15 18:05:28 ip-10-1-1-61 himmelblaud[1662]: 00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: AADSTSError(AADSTSError { code: 50074, description: "AADSTS50074: UserStrongAuthClientAuthNRequiredInterrupt - Strong authentication is required and the user did not pass the MFA challenge." })

while AWS Ubuntu does use EC2 specific versions, but it's controlled by Canonical by the looks of it. since it's on the ubuntu.com domain

root@ip-10-1-1-61:~# apt update
Hit:1 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble InRelease
Get:2 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:3 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Get:4 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Get:5 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [592 kB]
Get:6 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-updates/main Translation-en [144 kB]
Get:7 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-updates/main amd64 c-n-f Metadata [10.2 kB]
Get:8 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [697 kB]
Get:9 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-updates/universe Translation-en [206 kB]
Get:10 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-updates/universe amd64 c-n-f Metadata [19.6 kB]
Get:11 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [385 kB]
Get:12 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-updates/restricted Translation-en [74.4 kB]
Get:13 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Packages [14.8 kB]
Get:14 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-backports/universe amd64 Packages [10.6 kB]
Get:15 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-backports/universe Translation-en [10.8 kB]
Get:16 http://eu-west-2.ec2.archive.ubuntu.com/ubuntu noble-backports/universe amd64 c-n-f Metadata [1104 B]
Get:17 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages [410 kB]
Get:18 http://security.ubuntu.com/ubuntu noble-security/main Translation-en [90.4 kB]
Get:19 http://security.ubuntu.com/ubuntu noble-security/main amd64 c-n-f Metadata [5788 B]
Get:20 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages [553 kB]
Get:21 http://security.ubuntu.com/ubuntu noble-security/universe Translation-en [147 kB]
Get:22 http://security.ubuntu.com/ubuntu noble-security/universe amd64 c-n-f Metadata [13.5 kB]

[dmulder]

Could you join the himmelblau matrix channel and then we could debug some more? I'd like to figure out what is triggering that error.

[dmulder]

I think this is resolved in the latest 0.7.x. Feel free to reopen if you encounter the issue again.