[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

[Sumit Bose via FreeIPA-users]

On Mon, Feb 08, 2021 at 04:42:31PM -0500, Robert Kudyba via FreeIPA-users wrote:
> We have freeipa-server-4.8.10-6.fc33 running on top of NIS and I'm trying
> to determine why ssh -k from any client is hanging and not even connecting.
> Does sssd need to be configured as in this 2013 training document?
> https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
> 
> The goal is to eliminate NIS so perhaps the issue is running both
> concurrently? The good news is, thanks to tips here last week, all the NIS
> users migrated along with their passwords. And kinit on the Free IPA server
> even prompts to change their password.
> 
> sssd is running:
> sssd_be[2329]: GSSAPI client step 1
> sssd_be[2329]: GSSAPI client step 2
> 
> /etc/krb.conf
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = ourserver.EDU
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  forwardable = true
>  udp_preference_limit = 0
>  default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
>  ourserver.EDU = {
>   kdc = ourserver.edu:88
>   master_kdc = ourserver.edu:88
>   admin_server = ourserver.edu:749
>   default_domain = ourserver.edu
>   pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>   pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
> }
> 
> [domain_realm]
>  .ourserver.edu = ourserver.EDU
>  ourserver.edu = ourserver.EDU
>  ourserver.edu = ourserver.EDU
> 
> [dbmodules]
>   ourserver.EDU = {
>     db_library = ipadb.so
>   }
> 
> [plugins]
>  certauth = {
>   module = ipakdb:kdb/ipadb.so
>   enable_only = ipakdb
>  }
> 
>  HBAC is wide open:
> 
> ipa hbacrule-find
> --------------------
> 2 HBAC rules matched
> --------------------
>   Rule name: allow_all
>   User category: all
>   Host category: all
>   Service category: all
>   Description: Allow all users to access any host from any host
>   Enabled: TRUE
> 
>   Rule name: allow_systemd-user
>   User category: all
>   Host category: all
>   Description: Allow pam_systemd to run user@.service to create a system
> user session
>   Enabled: TRUE
> 
> Here are some debug ssh server logs:
> Feb  8 16:23:27 ourserver sshd[381563]: debug1: Forked child 510395.
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: Set
> /proc/self/oom_score_adj to 0
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: rexec start in 5 out 5
> newsock 5 pipe 10 sock 11
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: inetd sockets after
> dupping: 4, 4
> Feb  8 16:23:27 ourserver sshd[510395]: Connection from 150.108.68.26 port
> 45806 on 150.108.64.156 port 22 rdomain ""
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: Local version string
> SSH-2.0-OpenSSH_8.4
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: Remote protocol version
> 2.0, remote software version OpenSSH_8.4
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: match: OpenSSH_8.4 pat
> OpenSSH* compat 0x04000000
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: SELinux support disabled
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: permanently_set_uid: 74/74
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: list_hostkey_types:
> rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT sent
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_KEXINIT received
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: kex: algorithm:
> curve25519-sha256 [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: kex: host key algorithm:
> ecdsa-sha2-nistp256 [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: kex: client->server cipher:
> aes256-...@openssh.com MAC: <implicit> compression: none [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: kex: server->client cipher:
> aes256-...@openssh.com MAC: <implicit> compression: none [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256
> need=32 dh_need=32 [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: kex: curve25519-sha256
> need=32 dh_need=32 [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: expecting
> SSH2_MSG_KEX_ECDH_INIT [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: rekey out after 4294967296
> blocks [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS sent
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: Sending SSH2_MSG_EXT_INFO
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: expecting SSH2_MSG_NEWKEYS
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: SSH2_MSG_NEWKEYS received
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: rekey in after 4294967296
> blocks [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: KEX done [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user
> ouruser service ssh-connection method none [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: attempt 0 failures 0
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: PAM: initializing for
> "ouruser"
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_RHOST to
> "xx.xx.xx.xx"
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: PAM: setting PAM_TTY to
> "ssh"
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: userauth-request for user
> ouruser service ssh-connection method publickey [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: attempt 1 failures 0
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: userauth_pubkey: test pkalg
> rsa-sha2-256 pkblob RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
> [preauth]
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: temporarily_use_uid:
> 5879/200 (e=0/0)
> Feb  8 16:23:27 ourserver sshd[510395]: debug1: trying public key file
> /home/ouruser/.ssh/authorized_keys

Hi,

looks like sshd is trying to read /home/ouruser/.ssh/authorized_keys and
is stuck. Can you read this file from the command line? Is it e.g. on
NFS which might not be properly mounted?

Does it work if you skip pubkey authentication

    ssh -o PubkeyAuthentication=no -vv -k ouruser@ourserver

bye,
Sumit
> 
> and ssh -k from a Fedora client, note the user I'm logged in as is NOT the
> same user I'm trying to log in to:
> ssh -vv -k ouruser@ourserver
> OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS  8 Dec 2020
> debug1: Reading configuration data /home/ouruser/.ssh/config
> debug1: /home/ouruser/.ssh/config line 1: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
> debug2: checking match for 'final all' host ourserver originally ourserver
> debug2: match not found
> debug1: Reading configuration data
> /etc/crypto-policies/back-ends/openssh.config
> debug1: configuration requests final Match pass
> debug1: re-parsing configuration
> debug1: Reading configuration data /home/ouruser/.ssh/config
> debug1: /home/ouruser/.ssh/config line 1: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
> debug2: checking match for 'final all' host ourserver originally ourserver
> debug2: match found
> debug1: Reading configuration data
> /etc/crypto-policies/back-ends/openssh.config
> debug1: auto-mux: Trying existing master
> debug1: Control socket "/home/ouruser/.ssh/sockets/ouruser@ourserver-22"
> does not exist
> debug2: resolving "ourserver" port 22
> debug2: ssh_connect_direct
> debug1: Connecting to ourserver [150.108.64.156] port 22.
> debug1: Connection established.
> debug1: identity file /home/ouruser/.ssh/id_rsa type 0
> debug1: identity file /home/ouruser/.ssh/id_rsa-cert type -1
> debug1: identity file /home/ouruser/.ssh/id_dsa type -1
> debug1: identity file /home/ouruser/.ssh/id_dsa-cert type -1
> debug1: identity file /home/ouruser/.ssh/id_ecdsa type -1
> debug1: identity file /home/ouruser/.ssh/id_ecdsa-cert type -1
> debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk type -1
> debug1: identity file /home/ouruser/.ssh/id_ecdsa_sk-cert type -1
> debug1: identity file /home/ouruser/.ssh/id_ed25519 type 3
> debug1: identity file /home/ouruser/.ssh/id_ed25519-cert type -1
> debug1: identity file /home/ouruser/.ssh/id_ed25519_sk type -1
> debug1: identity file /home/ouruser/.ssh/id_ed25519_sk-cert type -1
> debug1: identity file /home/ouruser/.ssh/id_xmss type -1
> debug1: identity file /home/ouruser/.ssh/id_xmss-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_8.4
> debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
> debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to ourserver:22 as 'ouruser'
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms: curve25519-sha256,curve25519-sha...@libssh.org
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
> debug2: host key algorithms: ecdsa-sha2-nistp256-cert-...@openssh.com,
> ecdsa-sha2-nistp384-cert-...@openssh.com,
> ecdsa-sha2-nistp521-cert-...@openssh.com,
> sk-ecdsa-sha2-nistp256-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com
> ,sk-ssh-ed25519-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com,
> rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
> sk-ecdsa-sha2-nistp...@openssh.com,ssh-ed25519,sk-ssh-ed25...@openssh.com
> ,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: aes256-...@openssh.com,chacha20-poly1...@openssh.com
> ,aes256-ctr,aes128-...@openssh.com,aes128-ctr
> debug2: ciphers stoc: aes256-...@openssh.com,chacha20-poly1...@openssh.com
> ,aes256-ctr,aes128-...@openssh.com,aes128-ctr
> debug2: MACs ctos: hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com,
> umac-128-...@openssh.com,hmac-sha2-512-...@openssh.com
> ,hmac-sha2-256,hmac-sha1,umac-...@openssh.com,hmac-sha2-512
> debug2: MACs stoc: hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com,
> umac-128-...@openssh.com,hmac-sha2-512-...@openssh.com
> ,hmac-sha2-256,hmac-sha1,umac-...@openssh.com,hmac-sha2-512
> debug2: compression ctos: none,z...@openssh.com,zlib
> debug2: compression stoc: none,z...@openssh.com,zlib
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer server KEXINIT proposal
> debug2: KEX algorithms: curve25519-sha256,curve25519-sha...@libssh.org
> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
> debug2: host key algorithms:
> rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
> debug2: ciphers ctos: chacha20-poly1...@openssh.com
> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,
> aes256-...@openssh.com
> debug2: ciphers stoc: chacha20-poly1...@openssh.com
> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,
> aes256-...@openssh.com
> debug2: MACs ctos: umac-64-...@openssh.com,umac-128-...@openssh.com,
> hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
> hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com
> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: umac-64-...@openssh.com,umac-128-...@openssh.com,
> hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
> hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com
> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,z...@openssh.com
> debug2: compression stoc: none,z...@openssh.com
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
> debug1: kex: server->client cipher: aes256-...@openssh.com MAC: <implicit>
> compression: none
> debug1: kex: client->server cipher: aes256-...@openssh.com MAC: <implicit>
> compression: none
> debug1: kex: curve25519-sha256 need=32 dh_need=32
> debug1: kex: curve25519-sha256 need=32 dh_need=32
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ecdsa-sha2-nistp256
> SHA256:XUXhRKNYwxAGhwVIMa3fuo8uNMay6q4/qVeSWlQAOpM
> debug1: Host 'ourserver' is known and matches the ECDSA host key.
> debug1: Found key in /home/ouruser/.ssh/known_hosts:46
> debug2: set_newkeys: mode 1
> debug1: rekey out after 4294967296 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug2: set_newkeys: mode 0
> debug1: rekey in after 4294967296 blocks
> debug1: Will attempt key: /home/ouruser/.ssh/id_rsa RSA
> SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
> debug1: Will attempt key: /home/ouruser/.ssh/id_dsa
> debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa
> debug1: Will attempt key: /home/ouruser/.ssh/id_ecdsa_sk
> debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519 ED25519
> SHA256:OoedE0VhmLFtl9nifW57Mca+GHDD0xKkJ2BCLGlV9xc
> debug1: Will attempt key: /home/ouruser/.ssh/id_ed25519_sk
> debug1: Will attempt key: /home/ouruser/.ssh/id_xmss
> debug2: pubkey_prepare: done
> debug1: SSH2_MSG_EXT_INFO received
> debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,
> sk-ssh-ed25...@openssh.com
> ,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
> sk-ecdsa-sha2-nistp...@openssh.com,
> webauthn-sk-ecdsa-sha2-nistp...@openssh.com>
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure.  Minor code may provide more information
> No Kerberos credentials available (default cache: KCM:)
> debug1: Unspecified GSS failure.  Minor code may provide more information
> No Kerberos credentials available (default cache: KCM:)
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/ouruser/.ssh/id_rsa RSA
> SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
> debug2: we sent a publickey packet, wait for reply
> 
> What am I missing? I appreciate the help last week!
> 
> Rob

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org