Troubleshooting the PingID SSH installation
This section can help you diagnose and resolve issues with your PingID SSH installation.
-
Verifying PingID installation
-
General troubleshooting
-
Troubleshooting on Solaris 10
-
Troubleshooting on HP-UX
Verifying your PingID installation
Before performing the post-installation steps, verify the successful installation of PingID.
Steps
-
Run the binary
pingid_fc
-
Confirm that you get the pairing instructions.
If there are any problems with the installation, check the log files to identify the problem.
The location of the log file is defined in the configuration file. For more information, see PingID SSH configuration file parameters.
-
Verify connectivity to the PingID server.
Choose from:
-
For US accounts:
curl -I https://idpxnyl3m.pingidentity.com/pingid/heartbeat
-
For EU accounts:
curl -I https://idpxnyl3m.pingidentity.eu/pingid/heartbeat
-
For Australian accounts:
curl -I https://idpxnyl3m.pingidentity.com.au/pingid/heartbeat
The actual host name can be found in the
pingid.properties
file.
-
-
Confirm that you get a 200 response.
-
If the connection fails, make sure that the outbound connection to host and port
443
are open on your system’s firewall.
Troubleshooting SSH issues
Most SSH issues can be resolved by rerunning the installation package or reverting to a previous system state.
Steps
-
If you installed from the binary package, and got the following error response,
The method driver /usr/lib/apt/methods/https could not be found from apt-get - install apt-transport-https
, then rerun using the following command:sudo apt-get install apt-transport-https
-
If you installed and integrated PingID with SSH, but users are unable to authenticate successfully, revert to the system state prior to the PingID SSH installation.
Choose from:
-
If your installation is on a physical machine:
-
If you have kept an open session with root permissions, use that session.
-
If you do not have an open session, you must access the machine to open a local root console session.
-
If your installation is a virtual machine (VM), you should open a root console session in the VM control console.
-
Restore the changed
sshd_config
andauthorized_keys
files, (for PAM, also thesystem-auth
,common-auth
orpam.conf
files) to their state before the PingID installation, or reverse the entries in the configuration files according to the changes that you applied, depending on your operating system and the PAM or ForceCommand options. -
Restart the sshd service:
For all systems except Solaris,
service sshd restart
For Solaris systems:
svcadm restart ssh
-
-
Troubleshooting the PingID SSH installation on Solaris 10
Dealing with problems with Solaris 10.
If you are experiencing problems with Solaris 10, checking the following items may assist.
-
Run the
pkginfo
command. The output might be helpful to find missing packages and for general investigation of Solaris hosts -
Check the console output and contents of
config.log
file produced during execution of the./configure
script. It plays vital role in investigation of compilation/installation issues -
If you use
opencsw
repository to satisfy requirements of PingID SSH, then the libcurl4, libcurl_dev,libssl1_0_0,libssl_dev,libcares_dev,librtmp_dev,libssh2_dev,libkrb5_dev,libbrotli_dev and openldap_dev packages are mandatory (this list is far longer than the official requirements due to a bug in curl-config fromopencsw
repository). These libraries can be installed with the command:/opt/csw/bin/pkgutil -y -i libcurl4 libcurl_dev libssl1_0_0 libssl_dev libcares_dev librtmp_dev libssh2_dev libkrb5_dev libbrotli_dev openldap_dev
-
curl-config
allows the./configure
script to locate libcurl dependencies and their location, so it is preferable to have the containing directory ofcurl-config
in the PATH (for example,/opt/csw/bin
). Solaris 11 hosts usually do not require any additional changes in this regard. -
If you use the
opencsw
repository it is preferable to install and use a more modern compiler, than default GCC which comes with the operating system. One such compiler can be installed with the/opt/csw/bin/pkgutil -y -i gcc5core
command. Preference to the latter GCC over the original one is achieved by setting/opt/csw/bin
ahead of/usr/sfw/bin
in the command below:export PATH=/usr/sbin:/usr/bin:/opt/csw/bin:/usr/ccs/bin:/usr/sfw/bin
-
If the cURL and OpenSSL libraries are installed outside of the default-search-path-for-libraries-during-linking (which are usually
/lib
and/usr/lib
), then it is preferable to add this path via the LDFLAGS variable when calling the./configure
script. For example, if these libraries are installed into/opt/csw/lib
, the./configure
command becomes:LDFLAGS="-L/opt/csw/lib" ./configure --with-pam --prefix=/usr
Troubleshooting integration with SSH on HP-UX
If you are having trouble with the PingID integration with SSH when using it with PAM, it may be due to the X/Open Networking Interfaces of the version of libcurl that is installed. The version of libcurl may have been built without the additional flag for X/Open Sockets functionality. (For more information, see the xopen_networking man page.)
To resolve this issue:
-
Remove the version of
libcurl
that was installed with depothelper. -
Build
libcurl
from the source files:-
Install the required libraries:
depothelper openldap-2.4.45 depothelper libssh2
-
Download
https://curl.se/download/curl-7.54.1.tar.gz
and copy it to the server. -
Unzip the downloaded tarball:
/usr/contrib/bin/gunzip curl-7.54.1.tar.gz tar xvf curl-7.54.1.tar
-
Build
libcurl
and install it to/usr/local/lib/hpux64
:cd curl-curl-7.54.1 ./configure CC="cc" CFLAGS="-O -AC99 +DD64" CPPFLAGS="-I/usr/local/include -D_XOPEN_SOURCE=600 -D_HPUX_ALT_XOPEN_SOCKET_API" LDFLAGS="+DD64 -Wl,+b -Wl,/usr/local/lib/hpux64 -L/usr/local/lib/hpux64" --libdir=/usr/local/lib/hpux64 --disable-dict --disable-file --disable-ftp --disable-gopher --disable-imap --disable-manual --disable-ntlm-wb --disable-pop3 --disable-rtsp --disable-smb --disable-smtp --disable-sspi --disable-telnet --disable-tftp --disable-unix-sockets --without-brotli --without-libidn2 --without-librtmp make make install
-
-
Build the PingID SSH agent, as described in Installation example for HP-UX.