[Freeipa-users] PasswordAuthentication option for SSH
David Kreuter
david.kreuter at bytesource.net
Wed Apr 16 20:28:52 UTC 2014
On client side the valid Kerberos ticket is present. The following SSH configuration is used on the machine where the IPA client is running:
/etc/ssh/sshd_config
---cut---
PasswordAuthentication yes
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
GSSAPIAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
---cut---
Just checked the machine again, password authentication is used as fallback, because the Keberos setup on this machine seems to be messed up. I have tried to uninstall the client and reinstalled it. During the installation I'm getting following message:
"A RA is not configured on the server. Not requesting host certificate."
Trying to request the certificate manually leads in:
ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/<host> -N 'CN=<host>,O=EXAMPLE.INFO' -v
Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20140416200517"
So to certificate is already there. Do you have some hints?
----- Original Message -----
From: "Simo Sorce" <simo at redhat.com>
To: "David Kreuter" <david.kreuter at bytesource.net>
Cc: freeipa-users at redhat.com
Sent: Wednesday, 16 April, 2014 8:50:39 PM
Subject: Re: [Freeipa-users] PasswordAuthentication option for SSH
On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote:
> Hi,
>
>
> Today I faced the issue that Kerberos authentication stopped working
> after disabling PasswordAuthentication in /etc/ssh/sshd_config on a
> FreeIPA client. The deactivation of this option was done due to
> security issues.
>
>
> Is it really necessary to have this option set to yes when using
> Keberos authentication?
No, GSSAPI authentication does not need PasswordAuthentication, of
course it requires valid kerberos credentials on the client and a valid
keytab on the server.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140416/6a58265c/attachment.htm>
More information about the Freeipa-users
mailing list