[Freeipa-users] AIX client headaches
Rob Crittenden
rcritten at redhat.com
Mon Apr 2 12:50:33 UTC 2012
KodaK wrote:
> Hello,
>
> I'm attempting to configure an AIX 5.3 client, I've followed the instructions
> (and then some) that are found here:
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_AIX.html
>
> I keep overcoming hurdles (like the documentation asking you in step 3
> to authenticate with a user you create in step 11) but now I'm really stuck.
> I have a user, creatively named "testuser" and the password is of sufficient
> complexity. I can authenticate with this user to a Linux box that's been
> configured with the ipa-client, so I'm pretty sure my server configuration is
> OK.
>
> When I connect to an AIX client, though, it tells me:
>
> Received disconnect from 10.200.2.68: 2: Too many authentication
> failures for testuser
>
> Here's the output of ssh -v testuser at slnldca01.unix.magellanhealth.com:
>
>
> [jebalicki at mo0031472 ~]$ kinit testuser
> Password for testuser at UNIX.MAGELLANHEALTH.COM:
> [jebalicki at mo0031472 ~]$ ssh -v testuser at slnldca01.unix.magellanhealth.com
> OpenSSH_5.6p1, OpenSSL 1.0.0g-fips 18 Jan 2012
> debug1: Reading configuration data /home/jebalicki/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to slnldca01.unix.magellanhealth.com [10.200.2.68] port 22.
> debug1: Connection established.
> debug1: identity file /home/jebalicki/.ssh/id_rsa type 1
> debug1: identity file /home/jebalicki/.ssh/id_rsa-cert type -1
> debug1: identity file /home/jebalicki/.ssh/id_dsa type -1
> debug1: identity file /home/jebalicki/.ssh/id_dsa-cert type -1
> debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
> debug1: match: OpenSSH_4.1 pat OpenSSH_4*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.6
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'slnldca01.unix.magellanhealth.com' is known and matches
> the RSA host key.
> debug1: Found key in /home/jebalicki/.ssh/known_hosts:10
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /home/jebalicki/.ssh/id_rsa
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug1: Trying private key: /home/jebalicki/.ssh/id_dsa
> debug1: Next authentication method: keyboard-interactive
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug1: Next authentication method: password
> testuser at slnldca01.unix.magellanhealth.com's password:
> Received disconnect from 10.200.2.68: 2: Too many authentication
> failures for testuser
>
> Here's the output of sshd -ddd on the AIX client:
>
>
> bash-3.00# /usr/sbin/sshd -dddd
> debug2: load_server_config: filename /etc/ssh/sshd_config
> debug2: load_server_config: done config len = 248
> debug2: parse_server_config: config /etc/ssh/sshd_config len 248
> debug1: sshd version OpenSSH_4.1p1
> debug1: private host key: #0 type 0 RSA1
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #1 type 1 RSA
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #2 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-dddd'
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug2: fd 4 setting O_NONBLOCK
> debug1: Bind to port 22 on ::.
> Bind to port 22 on :: failed: Address already in use.
> Generating 768 bit RSA key.
> RSA key generation complete.
> debug1: fd 4 clearing O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug3: send_rexec_state: entering fd = 7 config len 248
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
> debug1: inetd sockets after dupping: 3, 3
> Connection from 10.200.10.117 port 49075
> debug1: Client protocol version 2.0; client software version OpenSSH_5.6
> debug1: match: OpenSSH_5.6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-1.99-OpenSSH_4.1
> debug1: init_func_ptrs passed
> debug2: fd 3 setting O_NONBLOCK
> debug3: privsep user:group 202:201
> debug1: permanently_set_uid: 202/201
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug2: Network child is on pid 348394
> debug3: preauth child monitor started
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit:
> ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug3: mm_request_send entering: type 0
> debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
> debug3: mm_request_receive_expect entering: type 1
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 0
> debug3: mm_answer_moduli: got parameters: 1024 1024 8192
> debug3: mm_request_send entering: type 1
> debug3: mm_choose_dh: remaining 0
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug2: monitor_read: 0 used once, disabling now
> debug3: mm_request_receive entering
> debug2: dh_gen_key: priv key bits set: 130/256
> debug2: bits set: 481/1024
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug2: bits set: 505/1024
> debug3: mm_key_sign entering
> debug3: mm_request_send entering: type 4
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
> debug3: monitor_read: checking request 4
> debug3: mm_request_receive_expect entering: type 5
> debug3: mm_answer_sign
> debug3: mm_request_receive entering
> debug3: mm_answer_sign: signature 20042f88(143)
> debug3: mm_request_send entering: type 5
> debug2: monitor_read: 4 used once, disabling now
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug3: mm_request_receive entering
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user testuser service ssh-connection method none
> debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 6
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
> debug3: monitor_read: checking request 6
> debug3: mm_request_receive_expect entering: type 7
> debug3: mm_answer_pwnamallow
> debug3: mm_request_receive entering
> debug3: AIX/loginrestrictions returned 0 msg (none)
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> debug3: mm_request_send entering: type 7
> debug2: monitor_read: 6 used once, disabling now
> debug2: input_userauth_request: setting up authctxt for testuser
> debug3: mm_request_receive entering
> debug3: mm_inform_authserv entering
> debug3: mm_request_send entering: type 3
> debug2: input_userauth_request: try method none
> debug3: monitor_read: checking request 3
> debug3: mm_auth_password entering
> debug3: mm_answer_authserv: service=ssh-connection, style=
> debug3: mm_request_send entering: type 10
> debug2: monitor_read: 3 used once, disabling now
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive entering
> debug3: mm_request_receive_expect entering: type 11
> debug3: monitor_read: checking request 10
> debug3: mm_request_receive entering
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 11
> debug3: mm_auth_password: user not authenticated
> Failed none for testuser from 10.200.10.117 port 49075 ssh2
> Failed none for testuser from 10.200.10.117 port 49075 ssh2
> debug3: mm_request_receive entering
> debug1: userauth-request for user testuser service ssh-connection
> method gssapi-with-mic
> debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method gssapi-with-mic
> debug3: mm_request_send entering: type 37
> debug3: mm_request_receive_expect entering: type 38
> debug3: monitor_read: checking request 37
> debug3: mm_request_receive entering
> debug1: Miscellaneous failure
> No principal in keytab matches desired name
>
> debug3: mm_request_send entering: type 38
> Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
> debug3: mm_request_receive entering
> debug1: userauth-request for user testuser service ssh-connection
> method gssapi-with-mic
> debug1: attempt 2 failures 2
> debug2: input_userauth_request: try method gssapi-with-mic
> Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
> debug1: userauth-request for user testuser service ssh-connection
> method gssapi-with-mic
> debug1: attempt 3 failures 3
> debug2: input_userauth_request: try method gssapi-with-mic
> Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
> debug1: userauth-request for user testuser service ssh-connection
> method gssapi-with-mic
> debug1: attempt 4 failures 4
> debug2: input_userauth_request: try method gssapi-with-mic
> Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
> debug1: userauth-request for user testuser service ssh-connection
> method publickey
> debug1: attempt 5 failures 5
> debug2: input_userauth_request: try method publickey
> debug1: test whether pkalg/pkblob are acceptable
> debug3: mm_key_allowed entering
> debug3: mm_request_send entering: type 20
> debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
> debug3: mm_request_receive_expect entering: type 21
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 20
> debug3: mm_answer_keyallowed entering
> debug3: mm_answer_keyallowed: key_from_blob: 20042fd8
> debug1: temporarily_use_uid: 1115600008/1115600008 (e=0/0)
> debug1: trying public key file /home/testuser/.ssh/authorized_keys
> debug1: restore_uid: 0/0
> debug1: temporarily_use_uid: 1115600008/1115600008 (e=0/0)
> debug1: trying public key file /home/testuser/.ssh/authorized_keys2
> debug1: restore_uid: 0/0
> debug3: mm_answer_keyallowed: key 20042fd8 is disallowed
> debug3: mm_request_send entering: type 21
> debug3: mm_request_receive entering
> debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
> Failed publickey for testuser from 10.200.10.117 port 49075 ssh2
> debug1: userauth-request for user testuser service ssh-connection
> method keyboard-interactive
> debug1: attempt 6 failures 6
> debug2: input_userauth_request: try method keyboard-interactive
> debug1: keyboard-interactive devs
> debug1: auth2_challenge: user=testuser devs=
> debug1: kbdint_alloc: devices ''
> debug2: auth2_challenge_start: devices
> Failed keyboard-interactive for testuser from 10.200.10.117 port 49075 ssh2
> debug1: userauth-request for user testuser service ssh-connection
> method password
> debug1: attempt 7 failures 7
> debug2: input_userauth_request: try method password
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 10
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 10
> debug3: inside auth_password
> debug3: AIX/authenticate result 1, msg
> debug3: AIX SYSTEM attribute KRB5ALXAP or compat
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 11
> Failed password for testuser from 10.200.10.117 port 49075 ssh2
> debug3: mm_auth_password: user not authenticated
> Failed password for testuser from 10.200.10.117 port 49075 ssh2
> Disconnecting: Too many authentication failures for testuser
> debug1: do_cleanup
> debug3: AIX/setauthdb set registry 'LDAP'
> debug3: aix_restoreauthdb: restoring old registry ''
> debug3: mm_request_receive entering
> debug1: do_cleanup
> bash-3.00#
>
> here's klist -k -e on the AIX box:
>
> bash-3.00# /usr/krb5/bin/klist -k -e
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> ---- ---------
> 1 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (DES cbc mode with CRC-32)
> 3 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (Triple DES cbc mode with HMAC/sha1)
> 3 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (ArcFour with HMAC/md5)
> 4 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (Triple DES cbc mode with HMAC/sha1)
> 4 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (ArcFour with HMAC/md5)
> 5 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (Triple DES cbc mode with HMAC/sha1)
> 5 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (ArcFour with HMAC/md5)
> 6 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (DES cbc mode with CRC-32)
> 6 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (Triple DES cbc mode with HMAC/sha1)
> 6 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (ArcFour with HMAC/md5)
> 2 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (DES cbc mode with CRC-32)
> 2 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (Triple DES cbc mode with HMAC/sha1)
> 2 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (ArcFour with HMAC/md5)
> 1 host/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (Triple DES cbc mode with HMAC/sha1)
> 1 host/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> (ArcFour with HMAC/md5)
>
> here's the relevent portion in krb5kdc.log:
>
>
> ar 30 18:13:10 slpidml01.unix.magellanhealth.com krb5kdc[13765](info):
> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.200.10.117: ISSUE: authtime
> 1333149153, etypes {rep=18 tkt=16 ses=16},
> testuser at UNIX.MAGELLANHEALTH.COM for
> host/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
> Mar 30 18:13:15 slpidml01.unix.magellanhealth.com
> krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
> NEEDED_PREAUTH: testuser at UNIX.MAGELLANHEALTH.COM for
> krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM, Additional
> pre-authentication required
> Mar 30 18:13:16 slpidml01.unix.magellanhealth.com
> krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
> ISSUE: authtime 1333149196, etypes {rep=16 tkt=18 ses=16},
> testuser at UNIX.MAGELLANHEALTH.COM for
> krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM
>
> Any help? If it's not obvious, I have no clue what I'm doing -- but
> I've been banging my head on this for three days straight, I have a
> ticket open with Red Hat and I've been reading everything I can find.
>
> Oh, I get similar entries in the kdc log if I telnet instead of ssh:
>
> Mar 30 18:33:42 slpidml01.unix.magellanhealth.com
> krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
> NEEDED_PREAUTH: testuser at UNIX.MAGELLANHEALTH.COM for
> krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM, Additional
> pre-authentication required
> Mar 30 18:33:43 slpidml01.unix.magellanhealth.com
> krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
> ISSUE: authtime 1333150423, etypes {rep=16 tkt=18 ses=16},
> testuser at UNIX.MAGELLANHEALTH.COM for
> krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM
The sshd output suggests that it can't find its own service principal:
No principal in keytab matches desired name
The keytab looks ok, you might check permissions to make sure it can be
read by sshd. You shouldn't need sshd services, it uses the host service
principal.
rob
More information about the Freeipa-users
mailing list