[Freeipa-users] User can't login via ssh from external source
Dmitri Pal
dpal at redhat.com
Fri Jul 20 19:21:23 UTC 2012
On 07/20/2012 03:03 PM, Joe Linoff wrote:
>
> Hi Everybody:
>
>
>
> I am using FreeIPA 2.2.0 on CentOS 6.3 and am having a challenging
> problem with a new user that I just setup.
>
>
>
> That user cannot ssh into any host on the realm from an external
> source. They get a permission denied problem but "old-user" with the
> same HBAC configuration works.
>
>
>
> % ssh -A -t -o Port=9346 new-user at somehost.example.com
>
> new-user at somehost.example.com's password:
>
> Permission denied, please try again.
>
> % ssh -A -t -o Port=9346 old-user at somehost.example.com
>
> old-user at somehost.example.com's password:
>
> Last login: ...
>
> [old-user at somehost ~]$
>
>
>
> I checked their password by setting up a TGT using kinit. It worked. I
> was also able to ssh into another host on the network.
>
>
>
> % kinit new-user
>
> Password for new-user at EXAMPLE.COM
>
> % ssh new-user at somehost
>
> Last login: ...
>
> Could not chdir to home directory ...
>
> -bash-4.1$ exit
>
>
>
> That seems to indicate that the password is correct and that the
> permissions are correct but to be sure I ran an hbactest on the server:
>
>
>
> % ipa hbactest --user=new-user --service=ssh --host=somehost
>
> --------------------
>
> Access granted: True
>
> --------------------
>
> ...
>
>
>
> I did see something strange in /var/log/messages:
>
>
>
> Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity
> check failed
>
> Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity
> check failed
>
> Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity
> check failed
>
> Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity
> check failed
>
> Jul 20 11:48:54 somehost [sssd[krb5_child[16488]]]: Password has expired
>
> Jul 20 11:48:55 somehost [sssd[krb5_child[16488]]]: Decrypt integrity
> check failed
>
> Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Password has expired
>
> Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Decrypt integrity
> check failed
>
>
>
> So I reset the password using the ipa passwd command:
>
>
>
> % ipa passwd new-user
>
> New Password:
>
> Etner New Password again to verify:
>
> -------------------------------------------
>
> Changed password for new-user at EXAMPLE.COM
>
> ------------------------------------------
>
>
>
> But I am still getting the Permission denied error.
>
>
>
> What am I doing wrong? How can I debug this? Any help would be greatly
> appreciated.
>
>
>
When you set the password on the server using the ipa passwd command you
make it know to the admin. This is why it is right away expired and
requires a change.
A user needs to log in through the client that allows changing the
password as a part of the authentication.
It looks like your ssh is not configured to do password change (I
suspect it uses GSSAPI but I might be wrong).
So either the ssh needs to be configured to do the password change over
the pam stack or you need to login as this user and change his password
and then you will be able to ssh.
> Thanks,
>
>
>
> Joe
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120720/25169cba/attachment.htm>
More information about the Freeipa-users
mailing list