Troubleshooting the PingID SSH installation - PingID

PingID Administration Guide
bundle
pingid
ft:publication_title
PingID Administration Guide
Product_Version_ce
PingID
category
ContentType
Product
Productdocumentation
pingid
ContentType_ce
Product documentation

This section can help you diagnose and resolve issues with your PingID SSH installation.

Verifying your PingID installation

Before performing the post-installation steps, verify the successful installation of PingID.

  1. Run the binary 
    pingid_fc
  2. Confirm that you get the pairing instructions.
    If there are any problems with the installation, check the log files to identify the problem.
    Note:

    The location of the log file is defined in the configuration file. For more information, see PingID SSH configuration file parameters.

  3. Verify connectivity to the PingID server.
    • For US accounts:
      curl -I https://idpxnyl3m.pingidentity.com/pingid/heartbeat
    • For EU accounts:
      curl -I https://idpxnyl3m.pingidentity.eu/pingid/heartbeat
    • For Australian accounts:
      curl -I https://idpxnyl3m.pingidentity.com.au/pingid/heartbeat

    The actual host name can be found in the pingid.properties file.

  4. Confirm that you get a 200 response.
  5. If the connection fails, make sure that the outbound connection to host and port 443 are open on your system's firewall.

Troubleshooting SSH issues

Most SSH issues can be resolved by rerunning the installation package or reverting to a previous system state.

  1. If you installed from the binary package, and got the following error response, The method driver /usr/lib/apt/methods/https could not be found from apt-get - install apt-transport-https, then rerun using the following command: sudo apt-get install apt-transport-https
  2. If you installed and integrated PingID with SSH, but users are unable to authenticate successfully, revert to the system state prior to the PingID SSH installation.
    • If your installation is on a physical machine:
      • If you have kept an open session with root permissions, use that session.
      • If you do not have an open session, you must access the machine to open a local root console session.
    • If your installation is a virtual machine (VM), you should open a root console session in the VM control console.
    1. Restore the changed sshd_config and authorized_keys files, (for PAM, also the system-auth, common-auth or pam.conf files) to their state before the PingID installation, or reverse the entries in the configuration files according to the changes that you applied, depending on your operating system and the PAM or ForceCommand options.
    2. Restart the sshd service:

      For all systems except Solaris, service sshd restart

      For Solaris systems: svcadm restart ssh

Troubleshooting the PingID SSH installation on Solaris 10

Dealing with problems with Solaris 10.

If you are experiencing problems with Solaris 10, checking the following items may assist.

  • Run the pkginfo command. The output might be helpful to find missing packages and for general investigation of Solaris hosts
  • Check the console output and contents of config.log file produced during execution of the ./configure script. It plays vital role in investigation of compilation/installation issues
  • If you use opencsw repository to satisfy requirements of PingID SSH, then the libcurl4, libcurl_dev, libssl1_0_0, libssl_dev, libcares_dev, librtmp_dev, libssh2_dev, libkrb5_dev, libbrotli_dev and openldap_dev packages are mandatory (this list is far longer than the official requirements due to a bug in curl-config from opencsw repository). These libraries can be installed with the command:

    /opt/csw/bin/pkgutil -y -i libcurl4 libcurl_dev libssl1_0_0 libssl_dev libcares_dev librtmp_dev libssh2_dev libkrb5_dev libbrotli_dev openldap_dev

  • curl-config allows the ./configure script to locate libcurl dependencies and their location, so it is preferable to have the containing directory of curl-config in the PATH (for example, /opt/csw/bin). Solaris 11 hosts usually do not require any additional changes in this regard.
  • If you use the opencsw repository it is preferable to install and use a more modern compiler, than default GCC which comes with the operating system. One such compiler can be installed with the /opt/csw/bin/pkgutil -y -i gcc5core command. Preference to the latter GCC over the original one is achieved by setting /opt/csw/bin ahead of /usr/sfw/bin in the command below:

    export PATH=/usr/sbin:/usr/bin:/opt/csw/bin:/usr/ccs/bin:/usr/sfw/bin

  • If the cURL and OpenSSL libraries are installed outside of the default-search-path-for-libraries-during-linking (which are usually /lib and /usr/lib), then it is preferable to add this path via the LDFLAGS variable when calling the ./configure script. For example, if these libraries are installed into /opt/csw/lib, the ./configure command becomes:
    LDFLAGS="-L/opt/csw/lib"
./configure --with-pam --prefix=/usr

Troubleshooting integration with SSH on HP-UX

If you are having trouble with the PingID integration with SSH when using it with PAM, it may be due to the X/Open Networking Interfaces of the version of libcurl that is installed. The version of libcurl may have been built without the additional flag for X/Open Sockets functionality. (For more information, see the xopen_networking man page.)

To resolve this issue:

  1. Remove the version of libcurl that was installed with depothelper.
  2. Build libcurl from the source files:
    1. Install the required libraries:
      depothelper openldap-2.4.45
depothelper libssh2
    2. Download https://curl.se/download/curl-7.54.1.tar.gz and copy it to the server.
    3. Unzip the downloaded tarball:
      /usr/contrib/bin/gunzip curl-7.54.1.tar.gz
tar xvf curl-7.54.1.tar
    4. Build libcurl and install it to /usr/local/lib/hpux64:
      cd curl-curl-7.54.1
./configure CC="cc" CFLAGS="-O -AC99 +DD64" CPPFLAGS="-I/usr/local/include -D_XOPEN_SOURCE=600 -D_HPUX_ALT_XOPEN_SOCKET_API" LDFLAGS="+DD64 -Wl,+b -Wl,/usr/local/lib/hpux64 -L/usr/local/lib/hpux64" --libdir=/usr/local/lib/hpux64 --disable-dict --disable-file --disable-ftp --disable-gopher --disable-imap --disable-manual --disable-ntlm-wb --disable-pop3 --disable-rtsp --disable-smb --disable-smtp --disable-sspi --disable-telnet --disable-tftp --disable-unix-sockets --without-brotli --without-libidn2 --without-librtmp
make
make install
  3. Build the PingID SSH agent, as described in Installation example for HP-UX.