[Freeipa-users] PasswordAuthentication option for SSH

David Kreuter david.kreuter at bytesource.net
Wed Apr 16 20:28:52 UTC 2014 

On client side the valid Kerberos ticket is present. The following SSH configuration is used on the machine where the IPA client is running: 


/etc/ssh/sshd_config 
---cut--- 
PasswordAuthentication yes 

KerberosAuthentication no 
PubkeyAuthentication yes 
UsePAM yes 
GSSAPIAuthentication yes 
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys 
---cut--- 


Just checked the machine again, password authentication is used as fallback, because the Keberos setup on this machine seems to be messed up. I have tried to uninstall the client and reinstalled it. During the installation I'm getting following message: 


"A RA is not configured on the server. Not requesting host certificate." 


Trying to request the certificate manually leads in: 


ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/<host> -N 'CN=<host>,O=EXAMPLE.INFO' -v 


Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20140416200517" 


So to certificate is already there. Do you have some hints? 



----- Original Message -----

From: "Simo Sorce" <simo at redhat.com> 
To: "David Kreuter" <david.kreuter at bytesource.net> 
Cc: freeipa-users at redhat.com 
Sent: Wednesday, 16 April, 2014 8:50:39 PM 
Subject: Re: [Freeipa-users] PasswordAuthentication option for SSH 

On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote: 
> Hi, 
> 
> 
> Today I faced the issue that Kerberos authentication stopped working 
> after disabling PasswordAuthentication in /etc/ssh/sshd_config on a 
> FreeIPA client. The deactivation of this option was done due to 
> security issues. 
> 
> 
> Is it really necessary to have this option set to yes when using 
> Keberos authentication? 

No, GSSAPI authentication does not need PasswordAuthentication, of 
course it requires valid kerberos credentials on the client and a valid 
keytab on the server. 

Simo. 

-- 
Simo Sorce * Red Hat, Inc * New York 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140416/6a58265c/attachment.htm>

More information about the Freeipa-users mailing list