[Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command
Sumit Bose
sbose at redhat.com
Mon Jan 9 09:55:05 UTC 2017
On Sat, Jan 07, 2017 at 02:14:45AM +0000, Chen Lufan wrote:
> Dear Team,
>
> I am new to freeIPA and GSS authentication so maybe someone can shed a light on where the issue is when I perform below ssh? Your help will be greatly appreciated!
>
>
> host2$ ssh -F /home/user/config user at host1.example.com
>
>
> I got below error in audit.log in host1 :
>
> type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" (hostname=?, addr=10.22.6.70, terminal=? res=success)'
> type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, addr=10.22.6.70, terminal=ssh res=failed)'
There are older reports that a similar audit message was triggered by
wrong SELinux labels on $HOME/.ssh and the files within. Although none
of the typical files in this directory are needed by GSSAPI
authentication it might worth to check. Does authentication work if you
temporally disable SELinux by calling 'setenforce 0' as root on the
command line?
HTH
bye,
Sumit
>
>
> where
>
> host2$ more /home/user/config
> Host *
> Protocol 2
>
> # Options for Protocol 1 only
> #RSAAuthentication no
> #RhostsRSAAuthentication no
>
> HostbasedAuthentication no
> PubKeyAuthentication no
> PasswordAuthentication no
>
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
>
> PreferredAuthentications gssapi-with-mic
>
> StrictHostKeyChecking no
> CheckHostIP no
>
> LogLevel FATAL
>
> UserKnownHostsFile /uhome/installer/.ssh/known_hosts
> IdentityFile /uhome/installer/.ssh/id_rsa
>
>
> AND on host1:
>
> # grep -v "^#" /etc/ssh/sshd_config |grep -v "^$"
> Protocol 2
> SyslogFacility AUTHPRIV
> LogLevel INFO
> PermitRootLogin no
> PubkeyAuthentication yes
> HostbasedAuthentication no
> IgnoreRhosts yes
> PermitEmptyPasswords no
> ChallengeResponseAuthentication no
> GSSAPIAuthentication yes
> UsePAM yes
> AllowTcpForwarding no
> X11Forwarding no
> PrintMotd no
> UseDNS no
> Banner /etc/issue.net
> Subsystem sftp /usr/libexec/openssh/sftp-server
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr
>
> host1# more krb5.conf
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> EXAMPLE.COM = {
> kdc = auth1.iad.example.com.
> kdc = auth2.iad.example.com.
> admin_server = auth1.iad.example.com.
>
> default_domain = example.com
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>
> auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//
> auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//
> auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$//
> auth_to_local = DEFAULT
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
> Thanks,
>
> Lufan
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list