[Freeipa-users] Issues with FreeIPA SSH Key authentication
Lukas Slebodnik
lslebodn at redhat.com
Fri Sep 16 08:51:38 UTC 2016
On (15/09/16 11:46), Venkataramana Kintali wrote:
>Hi Lukas,
>ssh_config is also same on all servers.
>Our need is to do it both ways, to be able to login with ssh public
>keys(uploaded in IPA) and disable password login, and be able to access
>allhosts within the same IPA domain silently from any host.
>Hoping the configs will help, I am including the configurations here.
>
>ssh_config file : http://pastebin.com/MWHyH1Qw
>sshd_config file: http://pastebin.com/gpn5XhXM
>sssd_config file: http://pastebin.com/5Pby6xKp
>
Looks good to me
>I just used some placeholders for sssd_config file in pastebin instead of
>actual values.
>
In initial mail you wrote:
>I am able to login to some IPA clients but not able to login to other IPA
>clients with putty using private key and passphrase.
Therefore your previous test case is wrong.
If you want to test authentication with public keys
then you cannot obtain krb5 ticket with kinit.
I would also recommend to call kdestory before
authentication with ssh to be sure that gssapi
authentication will not be used.
I would recomment to set "debug_level = 7" in domain and ssh section
on the server where you woudl like to authenticate.
then restart sssd and try to authenticate with ssh + verbose mode
e.g. ssh -v user at remote.host
Then I would recommend to compare logs from working server
and from broken server.
LS
More information about the Freeipa-users
mailing list