Hi,
As in the title a very odd behaviour if I keep opening new ssh sessions using
same IPA user after few successful ones I have ssh authentication failed error
and in krb5 logs on freeipa server, I can see the following errors:
Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.64:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): closing down fd 11
At the same time, I can use the same user and connect to other hosts or use
kinit or freeipa web portal. It looks like after N successful attempts I'm
hitting some kind of time or max concurrent connections limit, but I can't find
any related settings. It's standard Fedora-based freeipa 4.8.10 and hosts to
connect are ubuntu. If I wait a few minutes I'm allowed to open another
connection but then again if I try to open few I hit the error. I've been
checking KRB_TRACE for kinit and sshd DEBUG3 level logs but I can't find why
would it happen the only error is the one above with pre-auth.
Thanks
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
