<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr"> <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr"> <p>Dear Team,</p> <p>I am new to freeIPA and GSS authentication so maybe someone can shed a light on where the issue is when I perform below ssh? Your help will be greatly appreciated!</p> <p><br> </p> <p>host2$ ssh -F /home/user/config user@host1.example.com</p> <p><br> </p> <p>I got below error in audit.log in host1 :</p> <p></p> <div>type=CRYPTO_SESSION msg=audit(1483753488.905:727): user pid=17872 uid=0 auid=6974 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 rport=36989 laddr=67.217.92.20 lport=22 id=4294967295 exe="/usr/sbin/sshd" (hostname=?, addr=10.22.6.70, terminal=? res=success)'</div> <div>type=USER_ERR msg=audit(1483753489.839:728): user pid=17872 uid=0 auid=6974 msg='PAM: bad_ident acct="?" : exe="/usr/sbin/sshd" (hostname=10.22.6.70, addr=10.22.6.70, terminal=ssh res=failed)'</div> <div><br> </div> <p></p> <p><span style="font-size: 12pt;">where </span><br> </p> <p><span style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"></span></p> <p><span style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"></p> <div>host2$ more /<span style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">home/user</span>/config</div> <div>Host *</div> <div> Protocol 2</div> <div><br> </div> <div> # Options for Protocol 1 only</div> <div> #RSAAuthentication no</div> <div> #RhostsRSAAuthentication no</div> <div><br> </div> <div> HostbasedAuthentication no</div> <div> PubKeyAuthentication no</div> <div> PasswordAuthentication no</div> <div><br> </div> <div> GSSAPIAuthentication yes</div> <div> GSSAPIDelegateCredentials yes</div> <div><br> </div> <div> PreferredAuthentications gssapi-with-mic</div> <div><br> </div> <div> StrictHostKeyChecking no</div> <div> CheckHostIP no</div> <div><br> </div> <div> LogLevel FATAL</div> <div><br> </div> <div> UserKnownHostsFile /uhome/installer/.ssh/known_hosts</div> <div> IdentityFile /uhome/installer/.ssh/id_rsa</div> <div><br> </div> <div><br> </div> <div>AND on host1:</div> <div><br> </div> <div> <div># grep -v "^#" /etc/ssh/sshd_config |grep -v "^$"</div> <div>Protocol 2</div> <div>SyslogFacility AUTHPRIV</div> <div>LogLevel INFO</div> <div>PermitRootLogin no</div> <div>PubkeyAuthentication yes</div> <div>HostbasedAuthentication no</div> <div>IgnoreRhosts yes</div> <div>PermitEmptyPasswords no</div> <div>ChallengeResponseAuthentication no</div> <div>GSSAPIAuthentication yes</div> <div>UsePAM yes</div> <div>AllowTcpForwarding no</div> <div>X11Forwarding no</div> <div>PrintMotd no</div> <div>UseDNS no</div> <div>Banner /etc/issue.net</div> <div>Subsystem sftp /usr/libexec/openssh/sftp-server</div> <div>Ciphers aes128-ctr,aes192-ctr,aes256-ctr</div> <div><br> </div> <div>host1# more krb5.conf</div> <div><br> </div> <div> <div>[libdefaults]</div> <div> default_realm = EXAMPLE.COM</div> <div> dns_lookup_realm = false</div> <div> dns_lookup_kdc = false</div> <div> ticket_lifetime = 24h</div> <div> forwardable = yes</div> <div><br> </div> <div>[realms]</div> <div> EXAMPLE.COM = {</div> <div> kdc = auth1.iad.example.com.</div> <div> kdc = auth2.iad.example.com.</div> <div> admin_server = auth1.iad.example.com.</div> <div><br> </div> <div> default_domain = example.com</div> <div> pkinit_anchors = FILE:/etc/ipa/ca.crt</div> <div><br> </div> <div> auth_to_local = RULE:[2:$1;$2](.*;root)s/;root$//</div> <div> auth_to_local = RULE:[2:$1;$2](.*;admin)s/;admin$//</div> <div> auth_to_local = RULE:[1:$1@$0](.*@AD.CORP.EXAMPLE.COM)s/@.*$//</div> <div> auth_to_local = DEFAULT</div> <div>}</div> <div><br> </div> <div>[domain_realm]</div> <div> .example.com = EXAMPLE.COM</div> <div> example.com = EXAMPLE.COM</div> <div><br> </div> <div>[appdefaults]</div> <div> pam = {</div> <div> debug = false</div> <div> ticket_lifetime = 36000</div> <div> renew_lifetime = 36000</div> <div> forwardable = true</div> <div> krb4_convert = false</div> <div> }</div> <div><br> </div> <br> </div> <div>Thanks,</div> <div><br> </div> <div>Lufan</div> <br> </div> <div><br> </div> <br> </span> <p></p> </div> </body> </html>