ssh not working with uuid error logs

[ssungwxx]

Hi there.

I tried to set the vault ssh secret with azure or gcp. But both VMs print the same error logs.

[ERROR]: uuid is improperly formatted 
or
[ERROR]: uuid string is wrong length

My mac setting :
VAULT_ADDR=http://XX.XX.XX.XXX and login with root token

Vault server setting:
postgres on docker

config.hcl :

Vault server setting :
storage “postgresql” {
  connection_url = “postgres://user:password@localhost:5432/vault?sslmode=disable”
}

listener “tcp” {
  address = “0.0.0.0:80”
  tls_disable = 1
}

ui = true

Target VM setting:

/etc/pam.d/sshd:
# @include common-auth
auth requisite pam_exec.so quiet expose_authtok log=/tmp/vaultssh.log /home/sw/vault-ssh-helper -config=/home/sw/config.hcl -dev
auth optional pam_unix.so not_set_pass use_first_pass nodelay

/etc/ssh/sshd_config:

...
ChallengeResponseAuthentication yes\
UsePAM yes
PasswordAuthentication no
...

I tried :

# vault write ssh/roles/otp_role \
key_type=otp \
default_user=hi \
cidr_list=0.0.0.0/0
Success! Data written to: ssh/roles/otp_role

# vault write ssh/creds/otp_role ip=XX.XX.XX.XXX
Key                Value
---                -----
lease_id           ssh/creds/otp_role/eYyTMfiirC0vq802yTKqWLWC
lease_duration     768h
lease_renewable    false
ip                 XX.XX.XX.XXX
key                8c14b305-c1f7-9cda-0496-fd9a5362573c
key_type           otp
port               22
username           hi

# curl -XPOST \
http://XX.XX.XX.XXX/v1/ssh/verify -d \
'{"otp":"8c14b305-c1f7-9cda-0496-fd9a5362573c"}'
{"request_id":"8c32d0cc-7916-f45a-a452-783b1ad86793","lease_id":"","renewable":false,"lease_duration":0,"data":{"ip":"XX.XX.XX.XXX","role_name":"otp_role","username":"hi"},"wrap_info":null,"warnings":null,"auth":null}

But cannot ssh with target VM and got logs

[ERROR]: uuid is improperly formatted 
or
[ERROR]: uuid string is wrong length

i don't know what is wrong. plz check this. And I think we need another error log print. Not uuid error.

[LKNSI]

@calvn (last one to make any changes, sorry for the tag)
@ssungwxx (assuming you were using root in this example, instead use another user)

Maybe it would be a good note to tell people that sshd (with pam's help) will not pass the password to vault-ssh-helper if the user in question is root without further steps. (Or any other user that sshd denies).

Quick illustration between users (password attempted was a literal f character, and pam_exec was pointed to a simple echo script).

[lukeb0t]

@ssungwxx did you get to a resolution here?

[iuli72an]

@ssungwxx have to received any sollution to this one?

[ssungwxx]

@lukeb0t @iuli72an
unfortunately not :(

[xmN1]

@ssungwxx hi,did you get to a resolution here?

[liuliancao]

i got uuid error, i found i did not create the user before, after that it's fixed