[Freeipa-users] User can't login via ssh from external source
Stephen Gallagher
sgallagh at redhat.com
Fri Jul 20 20:23:40 UTC 2012
On Fri, 2012-07-20 at 15:21 -0400, Dmitri Pal wrote:
> On 07/20/2012 03:03 PM, Joe Linoff wrote:
> When you set the password on the server using the ipa passwd command
> you make it know to the admin. This is why it is right away expired
> and requires a change.
> A user needs to log in through the client that allows changing the
> password as a part of the authentication.
> It looks like your ssh is not configured to do password change (I
> suspect it uses GSSAPI but I might be wrong).
> So either the ssh needs to be configured to do the password change
> over the pam stack or you need to login as this user and change his
> password and then you will be able to ssh.
To clarify, what you need to do is make sure that the following options
are set in /etc/ssh/sshd_config:
UsePAM yes
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
This should hopefully resolve the issue for you.
Note: KerberosAuthentication is NOT the same as disabling the
single-sign-on. That's done by GSSAPIAuthentication.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120720/5dbefb25/attachment.sig>
More information about the Freeipa-users
mailing list