[Freeipa-users] Help with sshd configuration - ChallengeResponseAuthentication
Simo Sorce
ssorce at redhat.com
Wed Oct 8 16:30:14 UTC 2008
On Wed, 2008-10-08 at 11:07 -0500, puck at i29.net wrote:
> I've run into a problem when setting up IPA for ssh logins. I've found
> that I need to set ChallengeResponseAuthentication to "yes" in my
> sshd_config to allow users to change their expired passwords on login,
> otherwise the login process just hangs and eventually times out.
> However, when I set it to "yes" password-less logins between my servers
> no longer work. Once I'm logged in, if I run a "kinit (username)" then
> the password-less login works again so I assume that when
> ChallengeResponseAuthentication is on, sshd just doesn't set that
> correctly. Can anyone recommend an sshd configuration that would allow
> both the password-less logins and allow users to change their passwords
> at login when they are expired?
By "password-less" login you mean a gssapi login or an ssh-key aided
login ?
Simo.
More information about the Freeipa-users
mailing list