[Freeipa-users] AIX client headaches

KodaK sakodak at gmail.com
Fri Mar 30 23:35:32 UTC 2012 

Hello,

I'm attempting to configure an AIX 5.3 client, I've followed the instructions
(and then some) that are found here:

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_AIX.html

I keep overcoming hurdles (like the documentation asking you in step 3
to authenticate with a user you create in step 11) but now I'm really stuck.
I have a user, creatively named "testuser" and the password is of sufficient
complexity.  I can authenticate with this user to a Linux box that's been
configured with the ipa-client, so I'm pretty sure my server configuration is
OK.

When I connect to an AIX client, though, it tells me:

Received disconnect from 10.200.2.68: 2: Too many authentication
failures for testuser

Here's the output of ssh -v testuser at slnldca01.unix.magellanhealth.com:


[jebalicki at mo0031472 ~]$ kinit testuser
Password for testuser at UNIX.MAGELLANHEALTH.COM:
[jebalicki at mo0031472 ~]$ ssh -v testuser at slnldca01.unix.magellanhealth.com
OpenSSH_5.6p1, OpenSSL 1.0.0g-fips 18 Jan 2012
debug1: Reading configuration data /home/jebalicki/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to slnldca01.unix.magellanhealth.com [10.200.2.68] port 22.
debug1: Connection established.
debug1: identity file /home/jebalicki/.ssh/id_rsa type 1
debug1: identity file /home/jebalicki/.ssh/id_rsa-cert type -1
debug1: identity file /home/jebalicki/.ssh/id_dsa type -1
debug1: identity file /home/jebalicki/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'slnldca01.unix.magellanhealth.com' is known and matches
the RSA host key.
debug1: Found key in /home/jebalicki/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/jebalicki/.ssh/id_rsa
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/jebalicki/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: password
testuser at slnldca01.unix.magellanhealth.com's password:
Received disconnect from 10.200.2.68: 2: Too many authentication
failures for testuser

Here's the output of sshd -ddd on the AIX client:


bash-3.00# /usr/sbin/sshd -dddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 248
debug2: parse_server_config: config /etc/ssh/sshd_config len 248
debug1: sshd version OpenSSH_4.1p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-dddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Bind to port 22 on :: failed: Address already in use.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: fd 4 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 248
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 10.200.10.117 port 49075
debug1: Client protocol version 2.0; client software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_4.1
debug1: init_func_ptrs passed
debug2: fd 3 setting O_NONBLOCK
debug3: privsep user:group 202:201
debug1: permanently_set_uid: 202/201
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug2: Network child is on pid 348394
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 481/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 505/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: monitor_read: checking request 4
debug3: mm_request_receive_expect entering: type 5
debug3: mm_answer_sign
debug3: mm_request_receive entering
debug3: mm_answer_sign: signature 20042f88(143)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug3: mm_request_receive entering
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user testuser service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: monitor_read: checking request 6
debug3: mm_request_receive_expect entering: type 7
debug3: mm_answer_pwnamallow
debug3: mm_request_receive entering
debug3: AIX/loginrestrictions returned 0 msg (none)
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug2: input_userauth_request: setting up authctxt for testuser
debug3: mm_request_receive entering
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 3
debug3: mm_auth_password entering
debug3: mm_answer_authserv: service=ssh-connection, style=
debug3: mm_request_send entering: type 10
debug2: monitor_read: 3 used once, disabling now
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive entering
debug3: mm_request_receive_expect entering: type 11
debug3: monitor_read: checking request 10
debug3: mm_request_receive entering
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed none for testuser from 10.200.10.117 port 49075 ssh2
Failed none for testuser from 10.200.10.117 port 49075 ssh2
debug3: mm_request_receive entering
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_send entering: type 37
debug3: mm_request_receive_expect entering: type 38
debug3: monitor_read: checking request 37
debug3: mm_request_receive entering
debug1: Miscellaneous failure
No principal in keytab matches desired name

debug3: mm_request_send entering: type 38
Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
debug3: mm_request_receive entering
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
debug1: userauth-request for user testuser service ssh-connection
method publickey
debug1: attempt 5 failures 5
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 20042fd8
debug1: temporarily_use_uid: 1115600008/1115600008 (e=0/0)
debug1: trying public key file /home/testuser/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1115600008/1115600008 (e=0/0)
debug1: trying public key file /home/testuser/.ssh/authorized_keys2
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 20042fd8 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for testuser from 10.200.10.117 port 49075 ssh2
debug1: userauth-request for user testuser service ssh-connection
method keyboard-interactive
debug1: attempt 6 failures 6
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=testuser devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Failed keyboard-interactive for testuser from 10.200.10.117 port 49075 ssh2
debug1: userauth-request for user testuser service ssh-connection
method password
debug1: attempt 7 failures 7
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: inside auth_password
debug3: AIX/authenticate result 1, msg
debug3: AIX SYSTEM attribute KRB5ALXAP or compat
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed password for testuser from 10.200.10.117 port 49075 ssh2
debug3: mm_auth_password: user not authenticated
Failed password for testuser from 10.200.10.117 port 49075 ssh2
Disconnecting: Too many authentication failures for testuser
debug1: do_cleanup
debug3: AIX/setauthdb set registry 'LDAP'
debug3: aix_restoreauthdb: restoring old registry ''
debug3: mm_request_receive entering
debug1: do_cleanup
bash-3.00#

here's klist -k -e on the AIX box:

bash-3.00# /usr/krb5/bin/klist -k -e
Keytab name:  FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
   1 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(DES cbc mode with CRC-32)
   3 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(Triple DES cbc mode with HMAC/sha1)
   3 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(ArcFour with HMAC/md5)
   4 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(Triple DES cbc mode with HMAC/sha1)
   4 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(ArcFour with HMAC/md5)
   5 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(Triple DES cbc mode with HMAC/sha1)
   5 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(ArcFour with HMAC/md5)
   6 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(DES cbc mode with CRC-32)
   6 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(Triple DES cbc mode with HMAC/sha1)
   6 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(ArcFour with HMAC/md5)
   2 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(DES cbc mode with CRC-32)
   2 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(Triple DES cbc mode with HMAC/sha1)
   2 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(ArcFour with HMAC/md5)
   1 host/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(Triple DES cbc mode with HMAC/sha1)
   1 host/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
(ArcFour with HMAC/md5)

here's the relevent portion in krb5kdc.log:


ar 30 18:13:10 slpidml01.unix.magellanhealth.com krb5kdc[13765](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.200.10.117: ISSUE: authtime
1333149153, etypes {rep=18 tkt=16 ses=16},
testuser at UNIX.MAGELLANHEALTH.COM for
host/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM
Mar 30 18:13:15 slpidml01.unix.magellanhealth.com
krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
NEEDED_PREAUTH: testuser at UNIX.MAGELLANHEALTH.COM for
krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM, Additional
pre-authentication required
Mar 30 18:13:16 slpidml01.unix.magellanhealth.com
krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
ISSUE: authtime 1333149196, etypes {rep=16 tkt=18 ses=16},
testuser at UNIX.MAGELLANHEALTH.COM for
krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM

Any help?  If it's not obvious, I have no clue what I'm doing -- but
I've been banging my head on this for three days straight, I have a
ticket open with Red Hat and I've been reading everything I can find.

Oh, I get similar entries in the kdc log if I telnet instead of ssh:

Mar 30 18:33:42 slpidml01.unix.magellanhealth.com
krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
NEEDED_PREAUTH: testuser at UNIX.MAGELLANHEALTH.COM for
krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM, Additional
pre-authentication required
Mar 30 18:33:43 slpidml01.unix.magellanhealth.com
krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
ISSUE: authtime 1333150423, etypes {rep=16 tkt=18 ses=16},
testuser at UNIX.MAGELLANHEALTH.COM for
krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM


Thanks,

--Jason

More information about the Freeipa-users mailing list