[Freeipa-users] FreeIPA client setup in AWS

Rob Crittenden rcritten at redhat.com
Fri Oct 4 13:03:27 UTC 2013 

Mohan Cheema wrote:
> Hi,
>
> We are number of Amazon AMI (Amazon Linux) in AWS. As this is based on
> RHEL we installed number of packages to enable user on those machine to
> get authenticated against ipa. The client gets configured with below
> warning.
>
> -----------------------------------
> WARNING Installed OpenSSH server does not support dynamically loading
> authorized user keys. Public key authentication of IPA users will not be
> available.
> -----------------------------------
>
> When user tries to authenticate the SSH connection is dropped, ipa
> server issues the authentication ticket to the machine.
>
> Packages that has been installed.
>
> ----------------------------------------------
> ipa-python-3.0.0-25.el6.x86_64.rpm
>
> python-ldap-2.3.10-1.el6.x86_64.rpm
>
> cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64.rpm
>
> pam_krb5-2.3.11-9.el6.i686.rpm
>
> sssd-1.9.2-82.el6.x86_64.rpm
>
> certmonger-0.61-3.el6.x86_64.rpm
>
> oddjob-mkhomedir-0.30-5.el6.x86_64.rpm
>
> python-krbV-1.0.90-3.el6.x86_64.rpm
>
> libsss_autofs-1.9.2-82.el6.x86_64.rpm
>
> autofs-5.0.5-73.el6.x86_64.rpm
>
> nfs-utils-1.2.3-36.el6.x86_64.rpm
>
> sssd-client-1.9.2-82.el6.x86_64.rpm
>
> python-kerberos-1.1-6.2.el6.x86_64.rpm
>
> python-nss-0.13-1.el6.x86_64.rpm
>
> python-lxml-2.2.3-1.1.el6.x86_64.rpm
>
> python-netaddr-0.7.5-4.el6.noarch.rpm
>
> pyOpenSSL-0.10-2.el6.x86_64.rpm
>
> libipa_hbac-python-1.9.2-82.el6.x86_64.rpm
>
> libgssglue-0.1-11.el6.x86_64.rpm
>
> nfs-utils-lib-1.1.5-6.el6.x86_64.rpm
>
> rpcbind-0.2.0-11.el6.x86_64.rpm
>
> oddjob-0.30-5.el6.x86_64.rpm
>
> libipa_hbac-1.9.2-82.el6.x86_64.rpm
>
> libldb-1.1.13-3.el6.x86_64.rpm
>
> libsss_idmap-1.9.2-82.el6.x86_64.rpm
>
> libevent-1.4.13-4.el6.x86_64.rpm
>
> libtalloc-2.0.7-2.el6.x86_64.rpm
>
> keyutils-1.4-4.el6.x86_64.rpm
>
> libdhash-0.4.2-9.el6.x86_64.rpm
>
> libtirpc-0.2.1-5.el6.x86_64.rpm
>
> ipa-client-3.0.0-25.el6.x86_64.rpm
>
> libtevent-0.9.17-1.el6.x86_64.rpm
>
> libtdb-1.2.10-1.el6.x86_64.rpm
>
> libini_config-0.6.1-9.el6.x86_64.rpm
>
> libcollection-0.6.0-9.el6.x86_64.rpm
>
> libpath_utils-0.2.1-9.el6.x86_64.rpm
>
> libref_array-0.1.1-9.el6.x86_64.rpm
>
> c-ares-1.7.0-6.el6.x86_64.rpm
>
> samba4-libs-4.0.0-55.el6.rc4.x86_64.rpm
>
> libnl-1.1-14.el6.x86_64.rpm
> ----------------------------------------------
>
> Are there any other package that need to be installed to make it working.
>
> Below is the ssh version.
>
> # rpm -qa | grep ssh
>
> libssh2-1.4.2-1.10.amzn1.x86_64
>
> openssh-6.2p2-4.34.amzn1.x86_64
>
> openssh-clients-6.2p2-4.34.amzn1.x86_64
>
> openssh-server-6.2p2-4.34.amzn1.x86_64

I'm guessing the problem is the Amazon-specific version of ssh. It needs 
to support one of these command combinations:

AuthorizedKeysCommand and AuthorizedKeysCommandUser
AuthorizedKeysCommand and AuthorizedKeysCommandRunAs
PubKeyAgent and PubKeyAgentRunAs

/var/log/ipaclient-install.log should contain the output of the probing 
for this support.

rob

More information about the Freeipa-users mailing list