[Freeipa-users] SSH as Root on CentOS 7 fails

Tue Nov 1 09:08:13 UTC 2016

On Mon, Oct 31, 2016 at 04:17:08PM -0400, Geordie Grindle wrote:
> 
> Hello,
> 
> I’m unable to ssh as ‘root’ onto any of my new CentOS 7 hosts. I’ve always been able to do so on CentOS6.x
> 
> We normally have the file ‘/root/.k5login’ listing the designated system admins’ principals. Once on a CentOS 7, an admin can ‘ksu’ and become root as we expected.
> 
> We are using puppet and Foreman to build our hosts so they are in every way we can think of, identical, except for the O/s version.
> 
> I’ve confirmed forward and reverse DNS and that the ‘kvno’ number matches what’s reported by ‘klist -k’. 
> 
> I enabled "LogLevel DEBUG” in sshd_config and restarted sshd on a CentOS7 host: 
> 
> Oct 31 19:22:36 someserver sshd[12378]: debug1: userauth-request for user testuser service ssh-connection method none [preauth]
> Oct 31 19:22:36 someserver sshd[12378]: debug1: attempt 0 failures 0 [preauth]
> Oct 31 19:22:36 someserver sshd[12378]: debug1: PAM: initializing for "testuser"
> Oct 31 19:22:36 someserver sshd[12378]: debug1: PAM: setting PAM_RHOST to "someserver.test.com"
> Oct 31 19:22:36 someserver sshd[12378]: debug1: PAM: setting PAM_TTY to "ssh"
> Oct 31 19:22:36 someserver sshd[12378]: debug1: userauth-request for user testuser service ssh-connection method gssapi-with-mic [preauth]
> Oct 31 19:22:36 someserver sshd[12378]: debug1: attempt 1 failures 0 [preauth]
> Oct 31 19:22:36 someserver sshd[12378]: Postponed gssapi-with-mic for testuser from 10.0.0.55 port 36383 ssh2 [preauth]
> Oct 31 19:22:36 someserver sshd[12378]: debug1: Received some client credentials
> Oct 31 19:22:36 someserver sshd[12378]: Authorized to testuser, krb5 principal testuser at TEST.COM (ssh_gssapi_krb5_cmdok)
> 
> ################
> 
> Oct 31 19:35:42 someserver sshd[12409]: debug1: userauth-request for user root service ssh-connection method none [preauth]
> Oct 31 19:35:42 someserver sshd[12409]: debug1: attempt 0 failures 0 [preauth]
> Oct 31 19:35:42 someserver sshd[12409]: debug1: PAM: initializing for "root"
> Oct 31 19:35:42 someserver sshd[12409]: debug1: PAM: setting PAM_RHOST to "someserver.test.com"
> Oct 31 19:35:42 someserver sshd[12409]: debug1: PAM: setting PAM_TTY to "ssh"
> Oct 31 19:35:42 someserver sshd[12409]: debug1: userauth-request for user root service ssh-connection method gssapi-with-mic [preauth]
> Oct 31 19:35:42 someserver sshd[12409]: debug1: attempt 1 failures 0 [preauth]
> Oct 31 19:35:42 someserver sshd[12409]: Postponed gssapi-with-mic for root from 10.0.0.55 port 36384 ssh2 [preauth]
> Oct 31 19:35:42 someserver sshd[12409]: debug1: Received some client credentials
> Oct 31 19:35:42 someserver sshd[12409]: Failed gssapi-with-mic for root from 10.0.0.55 port 36384 ssh2
> ...
> Oct 31 19:35:42 someserver sshd[12577]: debug1: userauth-request for user root service ssh-connection method gssapi-with-mic [preauth]
> Oct 31 19:35:42 someserver sshd[12577]: debug1: attempt 4 failures 1 [preauth]
> 
> Appreciate any thoughts or suggestions you have.

Which version of SSSD are you using. SSSD provides a localauth plugin to
make matching the Kerberos principal and the provided login name more
easy. It creates a configuration snippet for krb5.conf in
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin and the content
should typically look like

[plugins]
 localauth = {
  module = sssd:/usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
 }

Some versions of SSSD added a 'enable_only = sssd' line which disables
the .k5login checks. If you have this line in the localauth_plugin file
I would recommend to check if a newer version of SSSD is available for
your platform which do not create the line. As an alternative you can
just remove the line from the file. But since SSSD will recreate the
file at startup you should make it immutable with chattr and the 'i'
option.

HTH

bye,
Sumit

> 
> Yours,
> Geordie Grindle
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project