[Freeipa-users] GSSAPI authentication from trusted AD domain
Sumit Bose
sbose at redhat.com
Fri May 5 08:39:43 UTC 2017
On Wed, May 03, 2017 at 11:28:18AM +0200, Tiemen Ruiten wrote:
> Tickets on the FreeIPA host after connecting (with a password):
>
> [adm.tiemen at clients.rdmedia.com@neodymium ~]$ klist
> Ticket cache: KEYRING:persistent:998801112:krb_ccache_ZzERoB1
> Default principal: adm.tiemen at CLIENTS.RDMEDIA.COM
>
> Valid starting Expires Service principal
> 05/03/2017 11:26:03 05/03/2017 21:26:03 krbtgt/
> CLIENTS.RDMEDIA.COM at CLIENTS.RDMEDIA.COM
> renew until 05/04/2017 11:26:03
>
>
>
> Tickets on the AD laptop after a connection attempt:
>
> C:\Users\adm.tiemen.CLIENTS>klist
>
> Current LogonId is 0:0x587aa
>
> Cached Tickets: (2)
>
> #0> Client: adm.tiemen @ CLIENTS.RDMEDIA.COM
> Server: krbtgt/CLIENTS.RDMEDIA.COM @ CLIENTS.RDMEDIA.COM
> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> Ticket Flags 0x40e10000 -> forwardable renewable initial
> pre_authent name_canonicalize
> Start Time: 5/3/2017 11:12:46 (local)
> End Time: 5/3/2017 21:12:46 (local)
> Renew Time: 5/10/2017 11:12:46 (local)
> Session Key Type: AES-256-CTS-HMAC-SHA1-96
> Cache Flags: 0x1 -> PRIMARY
> Kdc Called: vm-win-01.clients.rdmedia.com
>
> #1> Client: adm.tiemen @ CLIENTS.RDMEDIA.COM
> Server: LDAP/vm-win-01.clients.rdmedia.com/clients.rdmedia.com @
> CLIENTS.RDMEDIA.COM
> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> Ticket Flags 0x40a50000 -> forwardable renewable pre_authent
> ok_as_delegate name_canonicalize
> Start Time: 5/3/2017 11:12:46 (local)
> End Time: 5/3/2017 21:12:46 (local)
> Renew Time: 5/10/2017 11:12:46 (local)
> Session Key Type: AES-256-CTS-HMAC-SHA1-96
> Cache Flags: 0
> Kdc Called: vm-win-01.clients.rdmedia.com
There is no ticket for
host/neodymium.test.ams.i.rdmedia.com at TEST.AMS.I.RDMEDIA.COM
nor a cross-realm ticket
krbtgt/TEST.AMS.I.RDMEDIA.COM at CLIENTS.RDMEDIA.COM
So it looks the ssh client in the Windows host didn't try to get a
Kerberos ticket for the IPA client. Did you use the FQDN
neodymium.test.ams.i.rdmedia.com when trying to connect to the IPA
client?
According to the logs it looks like you are using kitty, have you tried
to use putty?
bye,
Sumit
>
>
>
>
> On 2 May 2017 at 19:45, Tiemen Ruiten <t.ruiten at rdmedia.com> wrote:
>
> > It's a CentOS 7.3 host, the version of sssd is 1.14.0, so there's no need
> > for mapping. However on the AD host:
> >
> > Microsoft Windows [Version 6.3.9600]
> >
> > (c) 2013 Microsoft Corporation. All rights reserved.
> >
> >
> > adm.tiemen at VM-WIN-01 C:\Users\adm.tiemen>klist
> >
> >
> > Current LogonId is 0:0x603b58
> >
> >
> > Cached Tickets: (0)
> >
> >
> > adm.tiemen at VM-WIN-01 C:\Users\adm.tiemen>
> >
> > Note that this is the domain controller and I'm logged in using the
> > experimental Win32-OpenSSH server. Not sure if that makes a difference. I
> > am not currently in the office, so unfortunately can't turn on the only
> > joined laptop in this domain.
> >
> > How can I ensure a proper ticket is generated?
> >
> > On 2 May 2017 at 18:25, Sumit Bose <sbose at redhat.com> wrote:
> >
> >> On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote:
> >> > I think I just realised that my expectation may be wrong: GSSAPI login
> >> with
> >> > a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it
> >> > correct to also expect passwordless login with an AD user to a FreeIPA
> >> host?
> >>
> >> The AD user case should work as well.
> >>
> >> First please send the SSSD version you use on the IPA client,
> >> alternatively you can check if
> >> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This
> >> would tell if SSSD can map the user name to the Kerberos principal of if
> >> additional configuration is needed.
> >>
> >> On the AD host please check after trying to connect with ssh if there is
> >> a proper service ticket for the IPA client by calling 'klist' in cmd.exe
> >> or PowerShell.
> >>
> >> bye,
> >> Sumit
> >>
> >> >
> >> > On 2 May 2017 at 17:40, Jason B. Nance <jason at tresgeek.net> wrote:
> >> >
> >> > > Hi Tiemen,
> >> > >
> >> > > To be clear, what I'm trying to do: log in from an AD account
> >> > > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA
> >> > > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I
> >> > > expect to be logged in through GSSAPI, instead I get a password
> >> prompt.
> >> > >
> >> > > I'm assuming that you are coming from a Windows client that is domain
> >> > > joined and logged into that Windows client with the same domain
> >> credentials
> >> > > that you are using to connect to the IPA-joined host. Do you also
> >> have
> >> > > your SSH client configured to attempt GSSAPI? It appears that you do
> >> from
> >> > > the logs you provided but I'm just double-checking.
> >> > >
> >> > > In my setup I've found that this feature does not work all of the
> >> time.
> >> > > I've not yet been able to track it down and I'm assuming it has
> >> something
> >> > > to do with connections to domain controllers timing out, but at this
> >> point
> >> > > that is speculation.
> >> > >
> >> > > So to answer your question, yes, that should work. Sorry I don't have
> >> > > more information for you, I guess I'm basically "me too"ing your post.
> >> > >
> >> > > Regards,
> >> > >
> >> > > j
> >> > >
> >> > > Is this supposed to work? Did I miss something?
> >> > >
> >> > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3:
> >> > >
> >> > > May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK
> >> > > May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752.
> >> > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state:
> >> entering fd
> >> > > = 8 config len 922
> >> > > May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0
> >> > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore
> >> > > May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5
> >> > > newsock 5 pipe 7 sock 8
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after
> >> dupping:
> >> > > 3, 3
> >> > > May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155
> >> port
> >> > > 53106 on 192.168.50.63 port 22
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version
> >> 2.0;
> >> > > client software version PuTTY_KiTTY
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility
> >> mode
> >> > > for protocol 2.0
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: Local version string
> >> > > SSH-2.0-OpenSSH_6.6.1
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init:
> >> preparing
> >> > > rlimit sandbox
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid
> >> 753
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor
> >> started
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid:
> >> 74/74
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types:
> >> > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 42 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
> >> > > entering: type 43 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 42
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 43
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5S
> >> lw5Ew8Mqkay+
> >> > > al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve
> >> > > 25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
> >> > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
> >> > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
> >> > > group14-sha1,diffie-hellman-group1-sha1 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> >> > > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305@
> >> openssh.com
> >> > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
> >> > > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> >> > > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305@
> >> openssh.com
> >> > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
> >> > > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e
> >> tm at openssh.com
> >> > > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac
> >> -sha2-512-etm@
> >> > > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm@
> >> openssh.com,
> >> > > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com
> >> ,umac-
> >> > > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h
> >> > > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e
> >> tm at openssh.com
> >> > > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac
> >> -sha2-512-etm@
> >> > > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm@
> >> openssh.com,
> >> > > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com
> >> ,umac-
> >> > > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h
> >> > > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,
> >> > > zlib at openssh.com [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,
> >> > > zlib at openssh.com [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > first_kex_follows 0 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> reserved 0
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
> >> > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
> >> > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
> >> > > group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
> >> > > ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-
> >> > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com
> >> > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192-
> >> > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com
> >> > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-
> >> > > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-e
> >> tm at openssh.com
> >> > > ,hmac-md5-etm at openssh.com [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-
> >> > > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-e
> >> tm at openssh.com
> >> > > ,hmac-md5-etm at openssh.com [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> none,zlib
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> none,zlib
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> > > first_kex_follows 0 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit:
> >> reserved 0
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup
> >> > > hmac-sha2-256 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server
> >> > > aes256-ctr hmac-sha2-256 none [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup
> >> > > hmac-sha2-256 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client
> >> > > aes256-ctr hmac-sha2-256 none [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex:
> >> > > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 120 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
> >> > > entering: type 121 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 120
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 121
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex:
> >> > > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 120 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
> >> > > entering: type 121 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 120
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 121
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting
> >> > > SSH2_MSG_KEX_ECDH_INIT [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering
> >> [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 6 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for
> >> > > MONITOR_ANS_SIGN [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect
> >> > > entering: type 7 [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 6
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature
> >> > > 0x7f7ea34ed250(83)
> >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 7
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used
> >> once,
> >> > > disabling now
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1
> >> [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent
> >> > > [preauth]
> >> > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting
> >> SSH2_MSG_NEWKEYS
> >> > > [preauth]
> >> > > May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0
> >> [preauth]
> >> > > May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received
> >> > > [preauth]
> >> > > May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
> >> > > adm.tiemen at clients.rdmedia.com service ssh-connection method none
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0
> >> [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 8 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow:
> >> waiting for
> >> > > MONITOR_ANS_PWNAM [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
> >> > > entering: type 9 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 8
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map
> >> address
> >> > > 192.168.10.155.
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config:
> >> config
> >> > > reprocess config len 922
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow:
> >> sending
> >> > > MONITOR_ANS_PWNAM: 1
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 9
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used
> >> once,
> >> > > disabling now
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request:
> >> > > setting up authctxt for adm.tiemen at clients.rdmedia.com [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 100 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv
> >> entering
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 4 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole
> >> entering
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 80 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request:
> >> try
> >> > > method none [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure
> >> > > partial=0 next methods="publickey,gssapi-keye
> >> x,gssapi-with-mic,password,keyboard-interactive"
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 100
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for "
> >> > > adm.tiemen at clients.rdmedia.com"
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to
> >> > > "192.168.10.155"
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to
> >> "ssh"
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used
> >> once,
> >> > > disabling now
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
> >> > > adm.tiemen at clients.rdmedia.com service ssh-connection method
> >> > > gssapi-with-mic [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0
> >> [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request:
> >> try
> >> > > method gssapi-with-mic [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 42 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
> >> > > entering: type 43 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 4
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv:
> >> > > service=ssh-connection, style=
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used
> >> once,
> >> > > disabling now
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 80
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role=
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used
> >> once,
> >> > > disabling now
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 42
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 43
> >> > > May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for
> >> > > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user
> >> > > adm.tiemen at clients.rdmedia.com service ssh-connection method
> >> > > keyboard-interactive [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0
> >> [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request:
> >> try
> >> > > method keyboard-interactive [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user=
> >> > > adm.tiemen at clients.rdmedia.com devs= [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices
> >> 'pam'
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start:
> >> > > devices pam [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device:
> >> devices
> >> > > <empty> [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start:
> >> trying
> >> > > authentication method 'pam' [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx
> >> [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 104 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx:
> >> waiting
> >> > > for MONITOR_ANS_PAM_INIT_CTX [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
> >> > > entering: type 105 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 104
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx
> >> entering
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 105
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 106 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting
> >> for
> >> > > MONITOR_ANS_PAM_QUERY [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect
> >> > > entering: type 107 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive
> >> entering
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking
> >> > > request 106
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query
> >> entering
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering
> >> > > May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv
> >> > > entering, 1 messages
> >> > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1
> >> > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering:
> >> > > type 107
> >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query:
> >> pam_query
> >> > > returned 0 [preauth]
> >> > > May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive
> >> for
> >> > > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2
> >> > > [preauth]
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > --
> >> > > Tiemen Ruiten
> >> > > Systems Engineer
> >> > > R&D Media
> >> > >
> >> > > --
> >> > > Manage your subscription for the Freeipa-users mailing list:
> >> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > > Go to http://freeipa.org for more info on the project
> >> > >
> >> > >
> >> > >
> >> >
> >> >
> >> > --
> >> > Tiemen Ruiten
> >> > Systems Engineer
> >> > R&D Media
> >>
> >> > --
> >> > Manage your subscription for the Freeipa-users mailing list:
> >> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > Go to http://freeipa.org for more info on the project
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >>
> >
> >
> >
> > --
> > Tiemen Ruiten
> > Systems Engineer
> > R&D Media
> >
>
>
>
> --
> Tiemen Ruiten
> Systems Engineer
> R&D Media
More information about the Freeipa-users
mailing list