[Freeipa-users] Issues with FreeIPA SSH Key authentication

Venkataramana Kintali venkataramana.kintali at gmail.com
Tue Sep 20 07:04:59 UTC 2016 

Thank you Lukas.
The issue , not being able to login to some servers in our setup with ssh
keys, was due to incorrect permissions on /usr directory,per the following
entry in /var/log/secure.

*sshd[12856]: error: bad ownership or modes for AuthorizedKeysCommand path
component "/usr"*

After setting up the permissions for /usr to 755, I was able to login to
these servers with ssh private keys.

Thank you again,Lukas, for your help.

Regards
Venkataramana






On Fri, Sep 16, 2016 at 11:51 AM, Lukas Slebodnik <lslebodn at redhat.com>
wrote:

> On (15/09/16 11:46), Venkataramana Kintali wrote:
> >Hi Lukas,
> >ssh_config is also same on all servers.
> >Our need is to do it both  ways, to be able to login with ssh public
> >keys(uploaded in IPA) and disable password login, and be able to access
> >allhosts within the same IPA domain silently from any host.
> >Hoping the configs will help, I am including the configurations here.
> >
> >ssh_config file :  http://pastebin.com/MWHyH1Qw
> >sshd_config file: http://pastebin.com/gpn5XhXM
> >sssd_config file: http://pastebin.com/5Pby6xKp
> >
> Looks good to me
>
> >I just used some placeholders for sssd_config file in pastebin instead of
> >actual values.
> >
>
> In initial mail you wrote:
> >I am able to login to some IPA clients but not able to login to other IPA
> >clients with putty using private key and passphrase.
> Therefore your previous test case is wrong.
> If you want to test authentication with public keys
> then you cannot obtain krb5 ticket with kinit.
>
> I would also recommend to call kdestory before
> authentication with ssh to be sure that gssapi
> authentication will not be used.
>
> I would recomment to set "debug_level = 7" in domain and ssh section
> on the server where you woudl like to authenticate.
> then restart sssd and try to authenticate with ssh + verbose mode
> e.g. ssh -v user at remote.host
>
> Then I would recommend to compare logs from working server
> and from broken server.
>
> LS
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160920/b726b3bb/attachment.htm>

More information about the Freeipa-users mailing list