Hi,
Sorry, maybe I wasn't detailed enough. The environments are client Ubuntu
20.04, FreeIPA Fedora 32 - freeipa-server-4.8.9-2.fc32.x86_64
It's an odd behaviour which should really not happen in a live environment
we've discovered it during testing and therefore started opening multiple ssh
connections to the host. In our example, in real life, you wouldn't try to open
5 concurrent SSH connection to the same host in a minute, but nevertheless, the
behaviour is as follow:
Start connecting SSH to Ubuntu client after a few successful connections I
start receiving preauth failures.
On client in auth.log you can't see anything other than standard failed to auth
even on Debug3 level I couldn't find anything that would indicate client setup
issue, it looks the same as wrong password error.
As I mentioned exactly the same password base method worked ok a few seconds
ago and if I wait for a few minutes it does work fine again.
The sssd log is empty and auth.log and krb5kdc.log are not showing anything
other then a standard generic error, it looks like there is some delay or max
connection limit somewhere on Kerberos side but I couldn't find anything in the
documentation. I've checked our SSH and there are no limits there, in fact, I
can use public key auth for the same user on the same host no problem it's just
FreeIPA authentication that is affected. I can create tickets with kinit using
the same user as well. Happy to provide more details, just don't know what
details at the moment.
auth.log snippet
Nov 27 05:54:32 csc-64 sshd[513083]: debug3: send packet: type 53 [preauth]
Nov 27 05:54:32 csc-64 sshd[513083]: debug1: userauth_send_banner: sent
[preauth]
Nov 27 05:54:32 csc-64 sshd[513083]: debug2: input_userauth_request: try method
none [preauth]
Nov 27 05:54:32 csc-64 sshd[513083]: debug3: user_specific_delay: user specific
delay 0.000ms [preauth]
Nov 27 05:54:32 csc-64 sshd[513083]: debug3: ensure_minimum_time_since: elapsed
4.484ms, delaying 0.949ms (requested 5.433ms) [preauth]
Nov 27 05:54:32 csc-64 sshd[513083]: debug3: userauth_finish: failure partial=0
next
methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive"
[preauth]
Nov 27 05:54:32 csc-64 sshd[513083]: debug3: send packet: type 51 [preauth]
Nov 27 05:54:32 csc-64 sshd[513083]: debug3: receive packet: type 50 [preauth]
Nov 27 05:54:32 csc-64 sshd[513083]: debug1: userauth-request for user c111111
service ssh-connection method publickey [preauth]
Nov 27 05:54:32 csc-64 sshd[513083]: debug1: attempt 1 failures 0 [preauth]
On FreeIPA server krb5kdc.log snippet
Nov 27 05:55:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.10.64:
NEEDED_PREAUTH: host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
Nov 27 05:55:39 lab-ipa.stuxnet.lab krb5kdc[4894](info): closing down fd 11
klist output from an existing ssh connection on the same host, create just a
few seconds before.
c111111@csc-64:~$ klist
Ticket cache: KEYRING:persistent:1938600006:krb_ccache_5K4WZSD
Default principal: [email protected]
Valid starting Expires Service principal
27/11/20 06:09:22 28/11/20 06:09:22 krbtgt/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
