[Freeipa-users] Help with sshd configuration - ChallengeResponseAuthentication

puck at i29.net puck at i29.net
Thu Oct 9 12:55:41 UTC 2008 

Thanks for the response, Simo. I left the systems alone overnight and 
mysteriously this morning both the password changing and the GSS logins 
work. That makes me a little nervous but I'm willing to assume the 
universe is throwing me a bone on this one ;) If the systems fall back 
to the old behavior, I'll be sure to send more info once I'm able to 
reproduce the problem.

Jem



Simo Sorce wrote:
> Can you use ssh -vv and paste what you get there when trying to login ?
> (feel free to sanitize output if there is data that you do not want to
> share broadly).
>
> Simo.
>
> On Wed, 2008-10-08 at 11:40 -0500, puck at i29.net wrote:
>   
>> Sorry. I meant GSSAPI login.
>>
>> Jem
>>
>>
>> Simo Sorce wrote: 
>>     
>>> On Wed, 2008-10-08 at 11:07 -0500, puck at i29.net wrote:
>>>   
>>>       
>>>> I've run into a problem when setting up IPA for ssh logins. I've found 
>>>> that I need to set ChallengeResponseAuthentication to "yes" in my 
>>>> sshd_config to allow users to change their expired passwords on login, 
>>>> otherwise the login process just hangs and eventually times out. 
>>>> However, when I set it to "yes" password-less logins between my servers 
>>>> no longer work. Once I'm logged in, if I run a "kinit (username)" then 
>>>> the password-less login works again so I assume that when 
>>>> ChallengeResponseAuthentication is on, sshd just doesn't set that 
>>>> correctly. Can anyone recommend an sshd configuration that would allow 
>>>> both the password-less logins and allow users to change their passwords 
>>>> at login when they are expired?
>>>>     
>>>>         
>>> By "password-less" login you mean a gssapi login or an ssh-key aided
>>> login ?
>>>
>>> Simo.
>>>
>>>
>>>
>>>   
>>>       
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>     
>
>
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20081009/17ccab0e/attachment.htm>

More information about the Freeipa-users mailing list