[Freeipa-users] Freeipa -ssh keys
Dmitri Pal
dpal at redhat.com
Thu Apr 25 20:40:14 UTC 2013
On 04/25/2013 03:10 PM, naresh reddy wrote:
> Hi Rob
>
> Sorry for the trouble
> I am still struggling
> my open ssh version is 6.1
> sssd version is 1.8
>
> can you please suggest me
>
Naresh, some of our SSH specialists are in Europe so they will take a
look at your setup in the morning.
Thank you for patience.
> [domain/eng.switchlab.net]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = eng.switchlab.net
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ldap1.eng.switchlab.net
> chpass_provider = ipa
> ipa_server = _srv_, ldap0.eng.switchlab.net
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
>
> domains = eng.switchlab.net
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
>
> my sshd config at the remote end
>
> # $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options override the
> # default value.
>
> # If you want to change the port on a SELinux system, you have to tell
> # SELinux about this change.
> # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
> #
> Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # The default requires explicit activation of protocol 1
> #Protocol 2
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
> #HostKey /etc/ssh/ssh_host_ecdsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 1024
>
> # Logging
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> SyslogFacility AUTHPRIV
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin yes
> #StrictModes yes
> #MaxAuthTries 6
> #MaxSessions 10
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
>
> # The default is to check both .ssh/authorized_keys and
> .ssh/authorized_keys2
> # but this is overridden so installations will only check
> .ssh/authorized_keys
> #AuthorizedKeysFile .ssh/authorized_keys
>
> #AuthorizedKeysCommand none
> #AuthorizedKeysCommandUser nobody
>
> #AuthorizedPrincipalsFile none
>
> # For this to work you will also need host keys in
> /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
> #PasswordAuthentication no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
> #ChallengeResponseAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> #KerberosUseKuserok yes
>
> # GSSAPI options
> #GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication. Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> # WARNING: 'UsePAM no' is not supported in Fedora and may cause several
> # problems.
> #UsePAM no
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> #X11Forwarding no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation sandbox # Default for new installations.
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #ShowPatchLevel no
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
> #PermitTunnel no
> #ChrootDirectory none
> #VersionAddendum none
>
> # no default banner path
> #Banner none
>
> # Accept locale-related environment variables
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
> AcceptEnv XMODIFIERS
>
> # override default of no subsystems
> Subsystem sftp /usr/libexec/openssh/sftp-server
>
> # Uncomment this if you want to use .local domain
> #Host *.local
> # CheckHostIP no
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> # X11Forwarding no
> # AllowTcpForwarding no
> # ForceCommand cvs server
>
> KerberosAuthentication no
> PubkeyAuthentication yes
> UsePAM yes
> # GSSAPIAuthentication yes
> AuthorizedKeysCommand '/usr/bin/sss_ssh_authorizedkeys %u'
> RSAAuthentication yes
> AuthorizedKeysCommandUser nobody
> # PasswordAuthentication yes
>
> debug of the ssh session
>
> OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 55: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to ldap1.eng.switchlab.net [10.30.1.135] port 22.
> debug1: Connection established.
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/home/np/.ssh/id_rsa" as a RSA1 public key
> debug1: identity file /home/np/.ssh/id_rsa type 1
> debug1: identity file /home/np/.ssh/id_rsa-cert type -1
> debug1: identity file /home/np/.ssh/id_dsa type -1
> debug1: identity file /home/np/.ssh/id_dsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
> debug1: match: OpenSSH_6.1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.1
> debug2: fd 3 setting O_NONBLOCK
> debug3: load_hostkeys: loading entries for host
> "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /home/np/.ssh/known_hosts:1
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host
> "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /var/lib/sss/pubconf/known_hosts:1
> debug3: load_hostkeys: found key type DSA in file
> /var/lib/sss/pubconf/known_hosts:2
> debug3: load_hostkeys: loaded 2 keys
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit:
> ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss,
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 126/256
> debug2: bits set: 492/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Server host key: RSA
> 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07
> debug3: load_hostkeys: loading entries for host
> "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /home/np/.ssh/known_hosts:1
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host
> "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /var/lib/sss/pubconf/known_hosts:1
> debug3: load_hostkeys: found key type DSA in file
> /var/lib/sss/pubconf/known_hosts:2
> debug3: load_hostkeys: loaded 2 keys
> debug3: load_hostkeys: loading entries for host "10.30.1.135" from
> file "/home/np/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /home/np/.ssh/known_hosts:2
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host "10.30.1.135" from
> file "/var/lib/sss/pubconf/known_hosts"
> debug3: load_hostkeys: loaded 0 keys
> debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA
> host key.
> debug1: Found key in /home/np/.ssh/known_hosts:1
> debug2: bits set: 518/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/np/.ssh/id_rsa (0x7f310a31cd60)
> debug2: key: /home/np/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /home/np/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Trying private key: /home/np/.ssh/id_dsa
> debug3: no such identity: /home/np/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: packet_send2: adding 32 (len 17 padlen 15 extra_pad 64)
>
>
>
> ^X^C
> [np at ldap0 ~]$ ssh -vvv np at eng.switchlab.net@ldap1.eng.switchlab.net
> OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 55: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to ldap1.eng.switchlab.net [10.30.1.135] port 22.
> debug1: Connection established.
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/home/np/.ssh/id_rsa" as a RSA1 public key
> debug1: identity file /home/np/.ssh/id_rsa type 1
> debug1: identity file /home/np/.ssh/id_rsa-cert type -1
> debug1: identity file /home/np/.ssh/id_dsa type -1
> debug1: identity file /home/np/.ssh/id_dsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
> debug1: match: OpenSSH_6.1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.1
> debug2: fd 3 setting O_NONBLOCK
> debug3: load_hostkeys: loading entries for host
> "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /home/np/.ssh/known_hosts:1
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host
> "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /var/lib/sss/pubconf/known_hosts:1
> debug3: load_hostkeys: found key type DSA in file
> /var/lib/sss/pubconf/known_hosts:2
> debug3: load_hostkeys: loaded 2 keys
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit:
> ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss,
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 128/256
> debug2: bits set: 503/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Server host key: RSA
> 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07
> debug3: load_hostkeys: loading entries for host
> "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /home/np/.ssh/known_hosts:1
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host
> "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /var/lib/sss/pubconf/known_hosts:1
> debug3: load_hostkeys: found key type DSA in file
> /var/lib/sss/pubconf/known_hosts:2
> debug3: load_hostkeys: loaded 2 keys
> debug3: load_hostkeys: loading entries for host "10.30.1.135" from
> file "/home/np/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /home/np/.ssh/known_hosts:2
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host "10.30.1.135" from
> file "/var/lib/sss/pubconf/known_hosts"
> debug3: load_hostkeys: loaded 0 keys
> debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA
> host key.
> debug1: Found key in /home/np/.ssh/known_hosts:1
> debug2: bits set: 500/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/np/.ssh/id_rsa (0x7fdfaf20fd60)
> debug2: key: /home/np/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /home/np/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Trying private key: /home/np/.ssh/id_dsa
> debug3: no such identity: /home/np/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: packet_send2: adding 32 (len 23 padlen 9 extra_pad 64)
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
>
>
> Nareshchandra Paturi
>
> 14, St. Augustine's Court,
> Mornington Road,
> london.
> E11 3BQ.
> Mob:07466666001,07856918100
> Ph:02082579579
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten at redhat.com>
> *To:* naresh reddy <nareshbtech at yahoo.com>; "freeipa-users at redhat.com"
> <freeipa-users at redhat.com>
> *Sent:* Tuesday, April 23, 2013 4:14 PM
> *Subject:* Re: [Freeipa-users] Freeipa -ssh keys
>
> naresh reddy wrote:
> > Hi Rob
> >
> > Thank you very much
> > but i tried the same with two fedora systems
> > and got the similar issue
> >
> > i think the error is due to kerberos not installed but i can see it is
> > installed on the client and sever
> > please suggest.
>
> sssd needs to look up the keys in IPA so the client needs to be enrolled
> for this to work.
>
> rob
>
> >
> > [np at ldap <mailto:np at ldap> ~]$ ssh -vvv np at eng.switchlab.net
> <mailto:np at eng.switchlab.net>@ldap1.eng.switchlab.net
> > OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug2: ssh_connect: needpriv 0
> > debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy
> > -p 22 ldap1.eng.switchlab.net
> > debug1: identity file /home/np/.ssh/identity type -1
> > debug3: Not a RSA1 key file /home/np/.ssh/id_rsa.
> > debug2: key_type_from_name: unknown key type '-----BEGIN'
> > debug3: key_read: missing keytype
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug3: key_read: missing whitespace
> > debug2: key_type_from_name: unknown key type '-----END'
> > debug3: key_read: missing keytype
> > debug1: identity file /home/np/.ssh/id_rsa type 1
> > debug1: identity file /home/np/.ssh/id_dsa type -1
> > debug1: permanently_drop_suid: 501
> > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
> > debug1: match: OpenSSH_6.1 pat OpenSSH*
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_5.3
> > debug2: fd 5 setting O_NONBLOCK
> > debug2: fd 4 setting O_NONBLOCK
> > debug1: SSH2_MSG_KEXINIT sent
> > debug3: Wrote 792 bytes for a total of 813
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> <mailto:rijndael-cbc at lysator.liu.se>
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> <mailto:rijndael-cbc at lysator.liu.se>
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 at openssh.com
> <mailto:umac-64 at openssh.com>,hmac-ripemd160,hmac-ripemd160 at openssh.com
> <mailto:hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 at openssh.com
> <mailto:umac-64 at openssh.com>,hmac-ripemd160,hmac-ripemd160 at openssh.com
> <mailto:hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib at openssh.com
> <mailto:zlib at openssh.com>,zlib
> > debug2: kex_parse_kexinit: none,zlib at openssh.com
> <mailto:zlib at openssh.com>,zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> <mailto:rijndael-cbc at lysator.liu.se>
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> <mailto:rijndael-cbc at lysator.liu.se>
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 at openssh.com
> <mailto:umac-64 at openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
> <mailto:hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 at openssh.com
> <mailto:umac-64 at openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
> <mailto:hmac-ripemd160 at openssh.com>,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib at openssh.com
> <mailto:zlib at openssh.com>
> > debug2: kex_parse_kexinit: none,zlib at openssh.com
> <mailto:zlib at openssh.com>
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: server->client aes128-ctr hmac-md5 none
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: client->server aes128-ctr hmac-md5 none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug3: Wrote 24 bytes for a total of 837
> > debug2: dh_gen_key: priv key bits set: 144/256
> > debug2: bits set: 516/1024
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug3: Wrote 144 bytes for a total of 981
> > debug3: check_host_in_hostfile: filename /home/np/.ssh/known_hosts
> > debug3: check_host_in_hostfile: match line 2
> > debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host
> > key.
> > debug1: Found key in /home/np/.ssh/known_hosts:2
> > debug2: bits set: 499/1024
> > debug1: ssh_rsa_verify: signature correct
> > debug2: kex_derive_keys
> > debug2: set_newkeys: mode 1
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: expecting SSH2_MSG_NEWKEYS
> > debug3: Wrote 16 bytes for a total of 997
> > debug2: set_newkeys: mode 0
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: SSH2_MSG_SERVICE_REQUEST sent
> > debug3: Wrote 48 bytes for a total of 1045
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug2: key: /home/np/.ssh/identity ((nil))
> > debug2: key: /home/np/.ssh/id_rsa (0x7f9ee71687b0)
> > debug2: key: /home/np/.ssh/id_dsa ((nil))
> > debug3: Wrote 80 bytes for a total of 1125
> > debug1: Authentications that can continue:
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug3: start over, passed a different list
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug3: preferred
> > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
> > debug3: authmethod_lookup gssapi-keyex
> > debug3: remaining preferred:
> > gssapi-with-mic,publickey,keyboard-interactive,password
> > debug3: authmethod_is_enabled gssapi-keyex
> > debug1: Next authentication method: gssapi-keyex
> > debug1: No valid Key exchange context
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup gssapi-with-mic
> > debug3: remaining preferred: publickey,keyboard-interactive,password
> > debug3: authmethod_is_enabled gssapi-with-mic
> > debug1: Next authentication method: gssapi-with-mic
> > debug1: Unspecified GSS failure. Minor code may provide more
> information
> > Credentials cache file '/tmp/krb5cc_501' not found
> >
> > debug1: Unspecified GSS failure. Minor code may provide more
> information
> > Credentials cache file '/tmp/krb5cc_501' not found
> >
> > debug1: Unspecified GSS failure. Minor code may provide more
> information
> >
> >
> > debug1: Unspecified GSS failure. Minor code may provide more
> information
> > Credentials cache file '/tmp/krb5cc_501' not found
> >
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup publickey
> > debug3: remaining preferred: keyboard-interactive,password
> > debug3: authmethod_is_enabled publickey
> > debug1: Next authentication method: publickey
> > debug1: Trying private key: /home/np/.ssh/identity
> > debug3: no such identity: /home/np/.ssh/identity
> > debug1: Offering public key: /home/np/.ssh/id_rsa
> > debug3: send_pubkey_test
> > debug2: we sent a publickey packet, wait for reply
> > debug3: Wrote 384 bytes for a total of 1509
> > debug1: Authentications that can continue:
> > publickey,gssapi-keyex,gssapi-with-mic,password
> > debug1: Trying private key: /home/np/.ssh/id_dsa
> > debug3: no such identity: /home/np/.ssh/id_dsa
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup password
> > debug3: remaining preferred: ,password
> > debug3: authmethod_is_enabled password
> > debug1: Next authentication method: password
> > np at eng.switchlab.net
> <mailto:np at eng.switchlab.net>@ldap1.eng.switchlab.net's password:
> > debug3: packet_send2: adding 48 (len 75 padlen 5 extra_pad 64)
> > debug2: we sent a password packet, wait for reply
> > debug3: Wrote 144 bytes for a total of 1653
> > debug1: Authentication succeeded (password).
> > debug1: channel 0: new [client-session]
> > debug3: ssh_session2_open: channel_new: 0
> > debug2: channel 0: send open
> > debug1: Requesting no-more-sessions at openssh.com
> <mailto:no-more-sessions at openssh.com>
> > debug1: Entering interactive session.
> > debug3: Wrote 128 bytes for a total of 1781
> > debug2: callback start
> > debug2: client_session2_setup: id 0
> > debug2: channel 0: request pty-req confirm 1
> > debug1: Sending environment.
> > debug3: Ignored env HOSTNAME
> > debug3: Ignored env SHELL
> > debug3: Ignored env TERM
> > debug3: Ignored env HISTSIZE
> > debug3: Ignored env USER
> > debug3: Ignored env LS_COLORS
> > debug3: Ignored env MAIL
> > debug3: Ignored env PATH
> > debug3: Ignored env PWD
> > debug1: Sending env LANG = en_US.UTF-8
> > debug2: channel 0: request env confirm 0
> > debug3: Ignored env HISTCONTROL
> > debug3: Ignored env SHLVL
> > debug3: Ignored env HOME
> > debug3: Ignored env LOGNAME
> > debug3: Ignored env CVS_RSH
> > debug3: Ignored env LESSOPEN
> > debug3: Ignored env G_BROKEN_FILENAMES
> > debug3: Ignored env _
> > debug2: channel 0: request shell confirm 1
> > debug2: callback done
> > debug2: channel 0: open confirm rwindow 0 rmax 32768
> > debug3: Wrote 448 bytes for a total of 2229
> > debug2: channel_input_status_confirm: type 99 id 0
> > debug2: PTY allocation request accepted on channel 0
> > debug2: channel 0: rcvd adjust 2097152
> > debug2: channel_input_status_confirm: type 99 id 0
> > debug2: shell request accepted on channel 0
> > Last failed login: Tue Apr 23 14:37:59 BST 2013 from 10.30.2.177 on
> > ssh:notty
> > There were 8 failed login attempts since the last successful login.
> > -sh-4.2$ debug3: Wrote 48 bytes for a total of 2277
> > edebug3: Wrote 48 bytes for a total of 2325
> > xdebug3: Wrote 48 bytes for a total of 2373
> > idebug3: Wrote 48 bytes for a total of 2421
> > tdebug3: Wrote 48 bytes for a total of 2469
> >
> > logout
> > debug2: channel 0: rcvd eof
> > debug2: channel 0: output open -> drain
> > debug2: channel 0: obuf empty
> > debug2: channel 0: close_write
> > debug2: channel 0: output drain -> closed
> > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
> > debug1: client_input_channel_req: channel 0 rtype eow at openssh.com
> <mailto:eow at openssh.com> reply 0
> > debug2: channel 0: rcvd eow
> > debug2: channel 0: close_read
> > debug2: channel 0: input open -> closed
> > debug2: channel 0: rcvd close
> > debug3: channel 0: will not send data after close
> > debug2: channel 0: almost dead
> > debug2: channel 0: gc: notify user
> > debug2: channel 0: gc: user detached
> > debug2: channel 0: send close
> > debug2: channel 0: is dead
> > debug2: channel 0: garbage collecting
> > debug1: channel 0: free: client-session, nchannels 1
> > debug3: channel 0: status: The following connections are open:
> > #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)
> >
> > debug3: channel 0: close_fds r -1 w -1 e 7 c -1
> > debug3: Wrote 32 bytes for a total of 2501
> > debug3: Wrote 64 bytes for a total of 2565
> > Connection to ldap1.eng.switchlab.net closed.
> > Transferred: sent 2288, received 2656 bytes, in 1.5 seconds
> > Bytes per second: sent 1563.3, received 1814.8
> > debug1: Exit status 0
> >
> > Nareshchandra Paturi
> >
> > 14, St. Augustine's Court,
> > Mornington Road,
> > london.
> > E11 3BQ.
> > Mob:07466666001,07856918100
> > Ph:02082579579
> > ------------------------------------------------------------------------
> > *From:* Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>
> > *To:* Naresh Chandra R Paturi <nareshbtech at yahoo.com
> <mailto:nareshbtech at yahoo.com>>;
> > freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> > *Sent:* Saturday, April 20, 2013 8:11 PM
> > *Subject:* Re: [Freeipa-users] Freeipa -ssh keys
> >
> > Naresh Chandra R Paturi wrote:
> > > Hi all
> > >
> > > I am new to freeipa
> > > we have a group of linux servers where we are tyring to establish
> > > password less logins, in order to do this we need to copy ssh keys of
> > > all uses to each and every cleint server . so we are trying to
> establish
> > > freeipa central server where we store the keys of all the users.
> > > we got free ipa working with passwords but trying to authenticate
> with
> > > keys.
> > > is this achievable. if you please kindly direct me.
> >
> > With IPA 3.0 this is configured for you automatically by default on
> > RHEL/Fedora systems.
> >
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#user-keys
> >
> > I believe you will need an openssh patch for this to work on a
> > Debian/Ubuntu client. I believe it also requires sssd.
> >
> > rob
> >
> >
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130425/a5005941/attachment.htm>
More information about the Freeipa-users
mailing list