[Freeipa-users] cannot ssh in (sss_ssh_authorizedkeys returned status 1) ??
Sumit Bose
sbose at redhat.com
Fri Oct 21 13:11:23 UTC 2016
On Fri, Oct 21, 2016 at 01:55:19PM +0100, lejeczek wrote:
> hi all
>
> I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB
> (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64)
> I realize that to assume versions differences cause it is bit silly but
> nothing changed except update of boxB's IPA a day before the problem occur.
> Also, there is a boxC (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so
> boxB == boxC IPA-wise) which does ssh in fine.
> Other way around, boxB to boxA ssh works.
> Logs are pretty quiet, I merely see:
>
> error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status
> 1
>
> and that I'm not sure appears at the time of login attempt.
> I do:
> boxA$ ssh boxB
> Connection closed by UNKNOWN
>
> ps. boxA is not banned nor block by any tcp/ip means.
>
> many! thanks for any help
Which version of SSSD is running? Do you have user certificates stored
in IPA? In this case you might hit
https://bugzilla.redhat.com/show_bug.cgi?id=1372042
https://fedorahosted.org/sssd/ticket/2977
If there are no updates with a fix available you might want to set
ldap_user_certificate = noSuchSttribute
in the [domain/...] section of sssd.conf to tell SSSD to not read the
certificates from the server. As an alternative you can all CA
certificates needed to validate the user certificates properly to
/etc/pki/nssdb.
HTH
bye,
Sumit
> L.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list