[Freeipa-users] Re: Concurrent ssh to the same host fails after few successfully open sessions with Additional pre-authentication krb error.

Fri, 20 Nov 2020 06:19:12 -0800 

mir mal via FreeIPA-users wrote:
> Hi,
> 
> As in the title a very odd behaviour if I keep opening new ssh sessions using 
> same IPA user after few successful ones I have ssh authentication failed 
> error and in krb5 logs on freeipa server, I can see the following errors:
> Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): AS_REQ (8 etypes 
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
> UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), 
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.64: 
> NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], 
> Additional pre-authentication required
> Nov 19 07:21:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): closing down fd 11
> 
> At the same time, I can use the same user and connect to other hosts or use 
> kinit or freeipa web portal. It looks like after N successful attempts I'm 
> hitting some kind of time or max concurrent connections limit, but I can't 
> find any related settings. It's standard Fedora-based freeipa 4.8.10 and 
> hosts to connect are ubuntu. If I wait a few minutes I'm allowed to open 
> another connection but then again if I try to open few I hit the error. I've 
> been checking KRB_TRACE for kinit and sshd DEBUG3 level logs but I can't find 
> why would it happen the only error is the one above with pre-auth.

I think you'll need to provide more details on your environment. What
auth mechanism you're using for ssh, for example.

How certain are you that the pre-auth failure is related to the ssh
failure? Are you thinking that on the remote side a kinit is happening
upon login?

How is the connection failing on the remote side? sssd logging would be
useful to see.

rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to