[Freeipa-users] PasswordAuthentication option for SSH

Dmitri Pal dpal at redhat.com
Thu Apr 17 21:34:28 UTC 2014 

On 04/16/2014 04:28 PM, David Kreuter wrote:
> On client side the valid Kerberos ticket is present. The following SSH 
> configuration is used on the machine where the IPA client is running:
>
> /etc/ssh/sshd_config
> ---cut---
> PasswordAuthentication yes
> KerberosAuthentication no
> PubkeyAuthentication yes
> UsePAM yes
> GSSAPIAuthentication yes
> AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
> ---cut---
>
> Just checked the machine again, password authentication is used as 
> fallback, because the Keberos setup on this machine seems to be messed 
> up. I have tried to uninstall the client and reinstalled it. During 
> the installation I'm getting following message:
>
> "A RA is not configured on the server. Not requesting host certificate."
>
> Trying to request the certificate manually leads in:
>
> ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/<host> -N 
> 'CN=<host>,O=EXAMPLE.INFO' -v
>
> Error org.fedorahosted.certmonger.duplicate: Certificate at same 
> location is already used by request with nickname "20140416200517"

When you removed the client certmonger was still tracking certs from the 
previous install.
Use cermonger to un-track old cert(s) and try to re-install again. That 
should solve this problem.
I think is fixed in the latest version of IPA client.

As for SSH I think a quick search on the net renders several guides that 
show how to setup OpenSSH with GSSAPI.


>
> So to certificate is already there. Do you have some hints?
>
>
> ------------------------------------------------------------------------
> *From: *"Simo Sorce" <simo at redhat.com>
> *To: *"David Kreuter" <david.kreuter at bytesource.net>
> *Cc: *freeipa-users at redhat.com
> *Sent: *Wednesday, 16 April, 2014 8:50:39 PM
> *Subject: *Re: [Freeipa-users] PasswordAuthentication option for SSH
>
> On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote:
> > Hi,
> >
> >
> > Today I faced the issue that Kerberos authentication stopped working
> > after disabling PasswordAuthentication in /etc/ssh/sshd_config on a
> > FreeIPA client. The deactivation of this option was done due to
> > security issues.
> >
> >
> > Is it really necessary to have this option set to yes when using
> > Keberos authentication?
>
> No, GSSAPI authentication does not need PasswordAuthentication, of
> course it requires valid kerberos credentials on the client and a valid
> keytab on the server.
>
> Simo.
>
> -- 
> Simo Sorce * Red Hat, Inc * New York
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140417/b989cc0f/attachment.htm>

More information about the Freeipa-users mailing list