[Freeipa-users] IdM Replica Install SSH failure.

Thu Apr 23 10:32:18 UTC 2015

On 04/22/2015 04:57 PM, Jesse Johnson wrote:
> ALL,
> 
> I'm attempting to complete a replica install and the system is bombing out on the gssapi portion of the SSH key configuration. I can ssh and selinux is permissive.

You mean right before beginning of the installation in the connection check?

> 
> Could not SSH into remote host. Error output:
>     OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
>     debug1: Reading configuration data /etc/ssh/ssh_config
>     debug1: /etc/ssh/ssh_config line 56: Applying options for *
>     debug1: Connecting to <IDM_master_name> [<IdM_master_ip>] port 22.
>     debug1: Connection established.
>     debug1: permanently_set_uid: 0/0
>     debug1: identity file /root/.ssh/id_rsa type -1
>     debug1: identity file /root/.ssh/id_rsa-cert type -1
>     debug1: identity file /root/.ssh/id_dsa type -1
>     debug1: identity file /root/.ssh/id_dsa-cert type -1
>     debug1: identity file /root/.ssh/id_ecdsa type -1
>     debug1: identity file /root/.ssh/id_ecdsa-cert type -1
>     debug1: identity file /root/.ssh/id_ed25519 type -1
>     debug1: identity file /root/.ssh/id_ed25519-cert type -1
>     debug1: Enabling compatibility mode for protocol 2.0
>     debug1: Local version string SSH-2.0-OpenSSH_6.6.1
>     debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
>     debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
>     debug1: SSH2_MSG_KEXINIT sent
>     debug1: SSH2_MSG_KEXINIT received
>     debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none
>     debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none
>     debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16
>     debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16
>     debug1: sending SSH2_MSG_KEX_ECDH_INIT
>     debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>     debug1: Server host key: ECDSA <key>
>     Warning: Permanently added '<IDM_master_name>,<IdM_master_ip>' (ECDSA) to the list of known hosts.
>     debug1: ssh_ecdsa_verify: signature correct
>     debug1: SSH2_MSG_NEWKEYS sent
>     debug1: expecting SSH2_MSG_NEWKEYS
>     debug1: SSH2_MSG_NEWKEYS received
>     debug1: Roaming not allowed by server
>     debug1: SSH2_MSG_SERVICE_REQUEST sent
>     debug1: SSH2_MSG_SERVICE_ACCEPT received
>     debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
>     debug1: Next authentication method: gssapi-keyex
>     debug1: No valid Key exchange context
>     debug1: Next authentication method: gssapi-with-mic
>     Connection closed by <IdM_master_ip>
> Could not SSH to remote host.
> 
> Any help would be appreciated.
> 
> Jesse P. Johnson CISSP RHC{A,DS,E,SA}
> ISC^2: 384989
> RH: 120-117-320
> C: 757-232-3110

There is most likely some problem, the conncheck is already quite proven. You
can skip it with --skip-conncheck, but the installation will probably blow up
in later stages anyway.

So it is good you are investigating the root cause. I would try:
- checking that DNS records from your client to the server are OK (both forward
DNS record and reverse DNS record for it's IP address). Also check the other
side, from master to client, there was a bug in the past.
- checking that you can ssh as "admin" user and via Kerberos (you can copy
functional krb5.conf from other replica) - ssh via other account and different
means (SSH key) may not be sufficient

Also, what is the FreeIPA and platform version you are testing this on?