[Freeipa-users] SSH as Root on CentOS 7 fails

Geordie Grindle geordie.grindle at gmail.com
Mon Oct 31 20:17:08 UTC 2016 

Hello,

I’m unable to ssh as ‘root’ onto any of my new CentOS 7 hosts. I’ve always been able to do so on CentOS6.x

We normally have the file ‘/root/.k5login’ listing the designated system admins’ principals. Once on a CentOS 7, an admin can ‘ksu’ and become root as we expected.

We are using puppet and Foreman to build our hosts so they are in every way we can think of, identical, except for the O/s version.

I’ve confirmed forward and reverse DNS and that the ‘kvno’ number matches what’s reported by ‘klist -k’. 

I enabled "LogLevel DEBUG” in sshd_config and restarted sshd on a CentOS7 host: 

Oct 31 19:22:36 someserver sshd[12378]: debug1: userauth-request for user testuser service ssh-connection method none [preauth]
Oct 31 19:22:36 someserver sshd[12378]: debug1: attempt 0 failures 0 [preauth]
Oct 31 19:22:36 someserver sshd[12378]: debug1: PAM: initializing for "testuser"
Oct 31 19:22:36 someserver sshd[12378]: debug1: PAM: setting PAM_RHOST to "someserver.test.com"
Oct 31 19:22:36 someserver sshd[12378]: debug1: PAM: setting PAM_TTY to "ssh"
Oct 31 19:22:36 someserver sshd[12378]: debug1: userauth-request for user testuser service ssh-connection method gssapi-with-mic [preauth]
Oct 31 19:22:36 someserver sshd[12378]: debug1: attempt 1 failures 0 [preauth]
Oct 31 19:22:36 someserver sshd[12378]: Postponed gssapi-with-mic for testuser from 10.0.0.55 port 36383 ssh2 [preauth]
Oct 31 19:22:36 someserver sshd[12378]: debug1: Received some client credentials
Oct 31 19:22:36 someserver sshd[12378]: Authorized to testuser, krb5 principal testuser at TEST.COM (ssh_gssapi_krb5_cmdok)

################

Oct 31 19:35:42 someserver sshd[12409]: debug1: userauth-request for user root service ssh-connection method none [preauth]
Oct 31 19:35:42 someserver sshd[12409]: debug1: attempt 0 failures 0 [preauth]
Oct 31 19:35:42 someserver sshd[12409]: debug1: PAM: initializing for "root"
Oct 31 19:35:42 someserver sshd[12409]: debug1: PAM: setting PAM_RHOST to "someserver.test.com"
Oct 31 19:35:42 someserver sshd[12409]: debug1: PAM: setting PAM_TTY to "ssh"
Oct 31 19:35:42 someserver sshd[12409]: debug1: userauth-request for user root service ssh-connection method gssapi-with-mic [preauth]
Oct 31 19:35:42 someserver sshd[12409]: debug1: attempt 1 failures 0 [preauth]
Oct 31 19:35:42 someserver sshd[12409]: Postponed gssapi-with-mic for root from 10.0.0.55 port 36384 ssh2 [preauth]
Oct 31 19:35:42 someserver sshd[12409]: debug1: Received some client credentials
Oct 31 19:35:42 someserver sshd[12409]: Failed gssapi-with-mic for root from 10.0.0.55 port 36384 ssh2
...
Oct 31 19:35:42 someserver sshd[12577]: debug1: userauth-request for user root service ssh-connection method gssapi-with-mic [preauth]
Oct 31 19:35:42 someserver sshd[12577]: debug1: attempt 4 failures 1 [preauth]

Appreciate any thoughts or suggestions you have.

Yours,
Geordie Grindle

More information about the Freeipa-users mailing list