[Freeipa-users] User can't login via ssh from external source

Joe Linoff jlinoff at tabula.com
Fri Jul 20 19:03:39 UTC 2012 

Hi Everybody:

 

I am using FreeIPA 2.2.0 on CentOS 6.3 and am having a challenging
problem with a new user that I just setup. 

 

That user cannot ssh into any host on the realm from an external source.
They get a permission denied problem but "old-user" with the same HBAC
configuration works.

 

% ssh -A -t -o Port=9346 new-user at somehost.example.com

new-user at somehost.example.com's password: 

Permission denied, please try again.

% ssh -A -t -o Port=9346 old-user at somehost.example.com

old-user at somehost.example.com's password: 

Last login: ...

[old-user at somehost ~]$

 

I checked their password by setting up a TGT using kinit. It worked. I
was also able to ssh into another host on the network.

 

% kinit new-user

Password for new-user at EXAMPLE.COM

% ssh new-user at somehost

Last login: ...

Could not chdir to home directory ...

-bash-4.1$ exit

 

That seems to indicate that the password is correct and that the
permissions are correct but to be sure I ran an hbactest on the server:

 

% ipa hbactest --user=new-user --service=ssh --host=somehost

--------------------

Access granted: True

--------------------

...

 

I did see something strange in /var/log/messages:

 

Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity
check failed

Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity
check failed

Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity
check failed

Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity
check failed

Jul 20 11:48:54 somehost [sssd[krb5_child[16488]]]: Password has expired

Jul 20 11:48:55 somehost [sssd[krb5_child[16488]]]: Decrypt integrity
check failed

Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Password has expired

Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Decrypt integrity
check failed

 

So I reset the password using the ipa passwd command:

 

% ipa passwd new-user

New Password:

Etner New Password again to verify:

-------------------------------------------

Changed password for new-user at EXAMPLE.COM

------------------------------------------

 

But I am still getting the Permission denied error.

 

What am I doing wrong? How can I debug this? Any help would be greatly
appreciated. 

 

Thanks,

 

Joe

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120720/2ba833cc/attachment.htm>

More information about the Freeipa-users mailing list