[Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command

Sat Jan 7 02:14:45 UTC 2017

Dear Team,

I am new to freeIPA and GSS authentication so maybe someone can shed a light on where the issue is when I perform below ssh?  Your help will be greatly appreciated!

host2$  ssh -F /home/user/config   user at host1.example.com

I got below error in audit.log in host1  :

type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" (hostname=?, addr=10.22.6.70, terminal=? res=success)'
type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, addr=10.22.6.70, terminal=ssh res=failed)'

where

host2$ more /home/user/config
Host *
    Protocol 2

    # Options for Protocol 1 only
    #RSAAuthentication no
    #RhostsRSAAuthentication no

    HostbasedAuthentication no
    PubKeyAuthentication no
    PasswordAuthentication no

    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

    PreferredAuthentications gssapi-with-mic

    StrictHostKeyChecking no
    CheckHostIP no

    LogLevel FATAL

    UserKnownHostsFile /uhome/installer/.ssh/known_hosts
    IdentityFile /uhome/installer/.ssh/id_rsa

AND on host1:

# grep -v "^#" /etc/ssh/sshd_config |grep -v "^$"
Protocol 2
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRootLogin no
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
UsePAM yes
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
UseDNS no
Banner /etc/issue.net
Subsystem       sftp    /usr/libexec/openssh/sftp-server
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

host1# more krb5.conf

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  EXAMPLE.COM = {
    kdc = auth1.iad.example.com.
    kdc = auth2.iad.example.com.
    admin_server = auth1.iad.example.com.

    default_domain = example.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt

    auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
    auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
    auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$//
    auth_to_local = DEFAULT
}

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

Thanks,

Lufan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170107/6b9232dc/attachment.htm>