[Freeipa-users] sssd and ipa+ad trust, ssh login errors

l at avc.su l at avc.su
Fri Jul 3 15:29:02 UTC 2015 

Hello.
I've encountered an issue with ssh login to freeipa clients in trusted 
environment.
getent/id commands working as expected, but password/publickey auth for 
user from ipa or AD domain does not work (gssapi works, by the way)
Seems like sss_ssh_authorizedkeys not working properly in this case.

$ getent passwd admin
admin:*:217600000:217600000:Administrator:/home/admin:/bin/bash

$ getent passwd admin at cloud
admin:*:217600000:217600000:Administrator:/home/admin:/bin/bash

$ getent passwd Administrator at zone.local
administrator at zone.local:*:1742600500:1742600500:Administrator:/home/zone.local/administrator:/bin/bash

Establishing connection:
$ ssh -l admin at CLOUD 192.168.13.103 -i key.openssh
Received disconnect from 192.168.13.103: 2: Too many authentication 
failures for admin at CLOUD

Here's the log of connection:
/var/log/secure
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
Disconnecting: Too many authentication failures for admin at CLOUD 
[preauth]

Trying to get the public key manually:
$ /usr/bin/sss_ssh_authorizedkeys admin at CLOUD
ssh-rsa AAAAB3NzaC~~

$ /usr/bin/sss_ssh_authorizedkeys admin
Error looking up public keys


Trying to connect with password auth:
$ ssh -l admin at CLOUD 192.168.13.103
admin at CLOUD@192.168.13.103's password:
X11 forwarding request failed on channel 0
Connection to 192.168.13.103 closed by remote host.
Connection to 192.168.13.103 closed.

/var/log/secure
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned 
status 1
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 
tty=ssh ruser= rhost=192.168.13.106  user=admin at CLOUD
pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 
tty=ssh ruser= rhost=192.168.13.106 user=admin at CLOUD
Accepted password for admin at CLOUD from 192.168.13.106 port 63054 ssh2
pam_unix(sshd:session): session opened for user admin at CLOUD by (uid=0)
fatal: login_init_entry: Cannot find user "admin"
pam_unix(sshd:session): session closed for user admin at CLOUD
fatal: login_init_entry: Cannot find user "admin"
fatal: mm_request_send: write: Broken pipe
Connection closed by 192.168.13.106 [preauth]

Auth succeeded, but login failed.


Versions:
Centos  7.1.1503
sssd    1.12.2
freeipa 4.1.0

More information about the Freeipa-users mailing list