[Freeipa-users] New users can't log into Centos client

[Thomas,Dave]

From: Rob Crittenden [rcritten at redhat.com]

>Thomas,Dave wrote:
>> Thanks, Rob. It's strange, then, that it works on the Fedora 10 clients, because Challenge-Response is disabled in sshd_config on those machines as well...
>> -Dave

>Does it fix it though?

>I wonder if EL5 and Fedora 10 have different defaults.

>rob

Yes, it fixes it. Now it works as expected in both Fedora 10 and EL5.

Challenge-response is explicitly disabled by default in sshd_config for EL5 and Fedora 10. When it is disabled, EL5 does not allow the initial password change, but Fedora 10 does, although it's behavior is a bit strange:

$ ssh USERNAME at ipaserver@example.com
USERNAME at ipaserver@example.com's password:
Warning: Your password will expire in less than one hour.
Warning: password has expired.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user USERNAME.
Kerberos 5 Password:
Warning: Your password will expire in less than one hour.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Connection to ipaserver at example.com closed.

When challenge-response is enabled, both EL5 and Fedora 10 behave as expected, (enter old password then enter new password twice.) So I've got it working now (thanks!) but I'm curious about why EL5 and Fedora 10 behave differently when the sshd configuration is the same.

-Dave