[Freeipa-users] sssd and ipa+ad trust, ssh login errors
l at avc.su
l at avc.su
Fri Jul 3 15:29:02 UTC 2015
Hello.
I've encountered an issue with ssh login to freeipa clients in trusted
environment.
getent/id commands working as expected, but password/publickey auth for
user from ipa or AD domain does not work (gssapi works, by the way)
Seems like sss_ssh_authorizedkeys not working properly in this case.
$ getent passwd admin
admin:*:217600000:217600000:Administrator:/home/admin:/bin/bash
$ getent passwd admin at cloud
admin:*:217600000:217600000:Administrator:/home/admin:/bin/bash
$ getent passwd Administrator at zone.local
administrator at zone.local:*:1742600500:1742600500:Administrator:/home/zone.local/administrator:/bin/bash
Establishing connection:
$ ssh -l admin at CLOUD 192.168.13.103 -i key.openssh
Received disconnect from 192.168.13.103: 2: Too many authentication
failures for admin at CLOUD
Here's the log of connection:
/var/log/secure
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
Disconnecting: Too many authentication failures for admin at CLOUD
[preauth]
Trying to get the public key manually:
$ /usr/bin/sss_ssh_authorizedkeys admin at CLOUD
ssh-rsa AAAAB3NzaC~~
$ /usr/bin/sss_ssh_authorizedkeys admin
Error looking up public keys
Trying to connect with password auth:
$ ssh -l admin at CLOUD 192.168.13.103
admin at CLOUD@192.168.13.103's password:
X11 forwarding request failed on channel 0
Connection to 192.168.13.103 closed by remote host.
Connection to 192.168.13.103 closed.
/var/log/secure
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned
status 1
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.13.106 user=admin at CLOUD
pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.13.106 user=admin at CLOUD
Accepted password for admin at CLOUD from 192.168.13.106 port 63054 ssh2
pam_unix(sshd:session): session opened for user admin at CLOUD by (uid=0)
fatal: login_init_entry: Cannot find user "admin"
pam_unix(sshd:session): session closed for user admin at CLOUD
fatal: login_init_entry: Cannot find user "admin"
fatal: mm_request_send: write: Broken pipe
Connection closed by 192.168.13.106 [preauth]
Auth succeeded, but login failed.
Versions:
Centos 7.1.1503
sssd 1.12.2
freeipa 4.1.0
More information about the Freeipa-users
mailing list