[Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command
Chen Lufan
luchen26 at hotmail.com
Sat Jan 7 02:14:45 UTC 2017
Dear Team,
I am new to freeIPA and GSS authentication so maybe someone can shed a light on where the issue is when I perform below ssh? Your help will be greatly appreciated!
host2$ ssh -F /home/user/config user at host1.example.com
I got below error in audit.log in host1 :
type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" (hostname=?, addr=10.22.6.70, terminal=? res=success)'
type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, addr=10.22.6.70, terminal=ssh res=failed)'
where
host2$ more /home/user/config
Host *
Protocol 2
# Options for Protocol 1 only
#RSAAuthentication no
#RhostsRSAAuthentication no
HostbasedAuthentication no
PubKeyAuthentication no
PasswordAuthentication no
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
PreferredAuthentications gssapi-with-mic
StrictHostKeyChecking no
CheckHostIP no
LogLevel FATAL
UserKnownHostsFile /uhome/installer/.ssh/known_hosts
IdentityFile /uhome/installer/.ssh/id_rsa
AND on host1:
# grep -v "^#" /etc/ssh/sshd_config |grep -v "^$"
Protocol 2
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRootLogin no
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
UsePAM yes
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
UseDNS no
Banner /etc/issue.net
Subsystem sftp /usr/libexec/openssh/sftp-server
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
host1# more krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = auth1.iad.example.com.
kdc = auth2.iad.example.com.
admin_server = auth1.iad.example.com.
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$//
auth_to_local = DEFAULT
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Thanks,
Lufan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170107/6b9232dc/attachment.htm>
More information about the Freeipa-users
mailing list