We have freeipa-server-4.8.10-6.fc33 running on top of NIS and I'm trying
to determine why ssh -k from any client is hanging and not even connecting.
Does sssd need to be configured as in this 2013 training document?
https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
The goal is to eliminate NIS so perhaps the issue is running both
concurrently? The good news is, thanks to tips here last week, all the NIS
users migrated along with their passwords. And kinit on the Free IPA server
even prompts to change their password.
sssd is running:
sssd_be[2329]: GSSAPI client step 1
sssd_be[2329]: GSSAPI client step 2
/etc/krb.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ourserver.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
ourserver.EDU = {
kdc = ourserver.edu:88
master_kdc = ourserver.edu:88
admin_server = ourserver.edu:749
default_domain = ourserver.edu
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ourserver.edu = ourserver.EDU
ourserver.edu = ourserver.EDU
ourserver.edu = ourserver.EDU
[dbmodules]
ourserver.EDU = {
db_library = ipadb.so
}
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
HBAC is wide open:
ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: TRUE
Rule name: allow_systemd-user
User category: all
Host category: all
Description: Allow pam_systemd to run [email protected] to create a system
user session
Enabled: TRUE
Here are some debug ssh server logs:
Feb 8 16:23:27 ourserver sshd[381563]: debug1: Forked child 510395.
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Set
/proc/self/oom_score_adj to 0
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rexec start in 5 out 5
newsock 5 pipe 10 sock 11
Feb 8 16:23:27 ourserver sshd[510395]: debug1: inetd sockets after
dupping: 4, 4
Feb 8 16:23:27 ourserver sshd[510395]: Connection from 150.108.68.26 port
45806 on 150.108.64.156 port 22 rdomain ""
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Local version string
SSH-2.0-OpenSSH_8.4
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Remote protocol version
2.0, remote software version OpenSSH_8.4
Feb 8 16:23:27 ourserver sshd[510395]: debug1: match: OpenSSH_8.4 pat
OpenSSH* compat 0x04000000
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SELinux support disabled
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: permanently_set_uid: 74/74
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT received
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: algorithm:
curve25519-sha256 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: host key algorithm:
ecdsa-sha2-nistp256 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: client->server cipher:
[email protected] MAC: <implicit> compression: none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: server->client cipher:
[email protected] MAC: <implicit> compression: none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rekey out after 4294967296
blocks [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS sent
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: Sending SSH2_MSG_EXT_INFO
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: expecting SSH2_MSG_NEWKEYS
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS received
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: rekey in after 4294967296
blocks [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: KEX done [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user
ouruser service ssh-connection method none [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: attempt 0 failures 0
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: initializing for
"ouruser"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_RHOST to
"xx.xx.xx.xx"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_TTY to
"ssh"
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user
ouruser service ssh-connection method publickey [preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: attempt 1 failures 0
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: userauth_pubkey: test pkalg
rsa-sha2-256 pkblob RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
[preauth]
Feb 8 16:23:27 ourserver sshd[510395]: debug1: temporarily_use_uid:
5879/200 (e=0/0)
Feb 8 16:23:27 ourserver sshd[510395]: debug1: trying public key file
/home/ouruser/.ssh/authorized_keys
and ssh -k from a Fedora client, note the user I'm logged in as is NOT the
same user I'm trying to log in to:
ssh -vv -k ouruser@ourserver
OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS 8 Dec 2020
debug1: Reading configuration data /home/ouruser/.ssh/config
debug1: /home/ouruser/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host ourserver originally ourserver
debug2: match not found
debug1: Reading configuration data
/etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/ouruser/.ssh/config
debug1: /home/ouruser/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host ourserver originally ourserver
debug2: match found
debug1: Reading configuration data
/etc/crypto-policies/back-ends/openssh.config
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/ouruser/.ssh/sockets/ouruser@ourserver-22"
does not exist
debug2: resolving "ourserver" port 22
debug2: ssh_connect_direct
debug1: Connecting to ourserver [150.108.64.156] port 22.
debug1: Connection established.
debug1: identity file /home/ouruser/.ssh/id_rsa type 0
debug1: identity file /home/ouruser/.ssh/id_rsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_dsa type -1
debug1: identity file /home/ouruser/.ssh/id_dsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519 type 3
debug1: identity file /home/ouruser/.ssh/id_ed25519-cert type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519_sk type -1
debug1: identity file /home/ouruser/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/ouruser/.ssh/id_xmss type -1
debug1: identity file /home/ouruser/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to ourserver:22 as 'ouruser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected]
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: [email protected],
[email protected],
[email protected],
[email protected],[email protected]
,[email protected],[email protected],
[email protected],[email protected]
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
[email protected],ssh-ed25519,[email protected]
,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],[email protected]
,aes256-ctr,[email protected],aes128-ctr
debug2: ciphers stoc: [email protected],[email protected]
,aes256-ctr,[email protected],aes128-ctr
debug2: MACs ctos: [email protected],[email protected],
[email protected],[email protected]
,hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: MACs stoc: [email protected],[email protected],
[email protected],[email protected]
,hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected]
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected]
,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],
[email protected]
debug2: ciphers stoc: [email protected]
,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],
[email protected]
debug2: MACs ctos: [email protected],[email protected],
[email protected],[email protected],
[email protected],[email protected],[email protected]
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],
[email protected],[email protected],
[email protected],[email protected],[email protected]
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit>
compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit>
compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:XUXhRKNYwxAGhwVIMa3fuo8uNMay6q4/qVeSWlQAOpM
debug1: Host 'ourserver' is known and matches the ECDSA host key.
debug1: Found key in /home/ouruser/.ssh/known_hosts:46
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/ouruser/.ssh/id_rsa RSA
SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug1: Will attempt key: /home/ouruser/.ssh/id_dsa
debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa
debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519 ED25519
SHA256:OoedE0VhmLFtl9nifW57Mca+GHDD0xKkJ2BCLGlV9xc
debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/ouruser/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,
[email protected]
,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
[email protected],
[email protected]>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /home/ouruser/.ssh/id_rsa RSA
SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug2: we sent a publickey packet, wait for reply
What am I missing? I appreciate the help last week!
Rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
