[Freeipa-users] Help with sshd configuration - ChallengeResponseAuthentication
puck at i29.net
puck at i29.net
Thu Oct 9 12:55:41 UTC 2008
Thanks for the response, Simo. I left the systems alone overnight and
mysteriously this morning both the password changing and the GSS logins
work. That makes me a little nervous but I'm willing to assume the
universe is throwing me a bone on this one ;) If the systems fall back
to the old behavior, I'll be sure to send more info once I'm able to
reproduce the problem.
Jem
Simo Sorce wrote:
> Can you use ssh -vv and paste what you get there when trying to login ?
> (feel free to sanitize output if there is data that you do not want to
> share broadly).
>
> Simo.
>
> On Wed, 2008-10-08 at 11:40 -0500, puck at i29.net wrote:
>
>> Sorry. I meant GSSAPI login.
>>
>> Jem
>>
>>
>> Simo Sorce wrote:
>>
>>> On Wed, 2008-10-08 at 11:07 -0500, puck at i29.net wrote:
>>>
>>>
>>>> I've run into a problem when setting up IPA for ssh logins. I've found
>>>> that I need to set ChallengeResponseAuthentication to "yes" in my
>>>> sshd_config to allow users to change their expired passwords on login,
>>>> otherwise the login process just hangs and eventually times out.
>>>> However, when I set it to "yes" password-less logins between my servers
>>>> no longer work. Once I'm logged in, if I run a "kinit (username)" then
>>>> the password-less login works again so I assume that when
>>>> ChallengeResponseAuthentication is on, sshd just doesn't set that
>>>> correctly. Can anyone recommend an sshd configuration that would allow
>>>> both the password-less logins and allow users to change their passwords
>>>> at login when they are expired?
>>>>
>>>>
>>> By "password-less" login you mean a gssapi login or an ssh-key aided
>>> login ?
>>>
>>> Simo.
>>>
>>>
>>>
>>>
>>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20081009/17ccab0e/attachment.htm>
More information about the Freeipa-users
mailing list