[Freeipa-users] Public Key Authentication Failing

Yogesh Sharma yks0000 at gmail.com
Tue Aug 18 19:53:37 UTC 2015 

Majority of sssd logs are filled with below error:

(Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]


*Best Regards,*

*__________________________________________*

*Yogesh Sharma*
*Email: yks0000 at gmail.com <yks0000 at gmail.com> | Web: www.initd.in
<http://www.initd.in/> *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

<https://www.fb.com/yks0000>   <http://in.linkedin.com/in/yks0000>
<https://twitter.com/checkwithyogesh>
<http://google.com/+YogeshSharmaOnGooglePlus>

On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma <yks0000 at gmail.com> wrote:

> Team.
>
> We are using public key authentication instead of password. It was working
> fine but a day latter it has stopped working. The same key is working for
> if change the username.
>
> For eg:
>
> Initially we created a user - ipa1 with ssh public key, but after sometime
> it has stopped working, now the same key is working if we create ipa2 user
> but with ipa1 user it fail to accept the keys.
>
>
>
> Below are ssh logs of failed attempt:
>
> root at yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa
> vg4381 at 172.16.32.24 -vv
> OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: identity file /root/.ssh/id_rsa type 1
> debug1: identity file /root/.ssh/id_rsa-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
> debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,
> ssh-rsa-cert-v00 at openssh.com,ssh-rsa,
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,
> ecdsa-sha2-nistp384-cert-v01 at openssh.com,
> ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,
> ssh-dss-cert-v01 at openssh.com,ssh-dss-cert-v00 at openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> chacha20-poly1305 at openssh.com
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com
> ,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com
> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
> ,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com
> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
> ,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: setup hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: setup hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: bits set: 1554/3072
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Server host key: RSA
> 78:1f:15:bf:d3:fb:1a:49:44:8c:3a:28:b0:1f:6b:15
> debug1: Host '172.16.32.24' is known and matches the RSA host key.
> debug1: Found key in /root/.ssh/known_hosts:2258
> debug2: bits set: 1553/3072
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /root/.ssh/id_rsa (0x7f646fa5b830), explicit
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-keyex
> debug1: No valid Key exchange context
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure.  Minor code may provide more information
> No Kerberos credentials available
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
> No Kerberos credentials available
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
>
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
> No Kerberos credentials available
>
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /root/.ssh/id_rsa
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: password
>
> *Best Regards,*
>
> *__________________________________________*
>
> *Yogesh Sharma*
> *Email: yks0000 at gmail.com <yks0000 at gmail.com> | Web: www.initd.in
> <http://www.initd.in/> *
>
> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
>
> <https://www.fb.com/yks0000>   <http://in.linkedin.com/in/yks0000>
> <https://twitter.com/checkwithyogesh>
> <http://google.com/+YogeshSharmaOnGooglePlus>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150819/e715c2fd/attachment.htm>

More information about the Freeipa-users mailing list