[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

Robert Kudyba via FreeIPA-users Tue, 09 Feb 2021 08:33:00 -0800

>
> looks like sshd is trying to read /home/ouruser/.ssh/authorized_keys and
> is stuck. Can you read this file from the command line? Is it e.g. on
> NFS which might not be properly mounted?
>
> Does it work if you skip pubkey authentication
>
>     ssh -o PubkeyAuthentication=no -vv -k ouruser@ourserver
>
> bye,
> Sumit
>


Thanks for the suggestion. What happens is the NIS password works. The
FreeIPA password, which I update with:
ipa user-mod ouruser --setattr "userpassword=xxxx", fails with the below
errors/logs

Feb  9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086.
Feb  9 11:10:34 ourserver sshd[536086]: debug1: Set
/proc/self/oom_score_adj to 0
Feb  9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 out 5
newsock 5 pipe 7 sock 8
Feb  9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after
dupping: 4, 4
Feb  9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port 53332
on 150.108.64.156 port 22 rdomain ""
Feb  9 11:10:34 ourserver sshd[536086]: debug1: Local version string
SSH-2.0-OpenSSH_8.4
Feb  9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol version
2.0, remote software version OpenSSH_8.4
Feb  9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 pat
OpenSSH* compat 0x04000000
Feb  9 11:10:35 ourserver sshd[536086]: debug1: SELinux support disabled
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid: 74/74
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT received
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm:
curve25519-sha256 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: host key algorithm:
ecdsa-sha2-nistp256 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server cipher:
[email protected] MAC: <implicit> compression: none [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client cipher:
[email protected] MAC: <implicit> compression: none [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey out after 4294967296
blocks [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS sent
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: Sending SSH2_MSG_EXT_INFO
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting SSH2_MSG_NEWKEYS
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS received
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey in after 4294967296
blocks [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method none [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing for
"ouruser"
Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_RHOST to
"x.x.x.x"
Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_TTY to
"ssh"
Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method keyboard-interactive [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive devs
 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge:
user=ouruser devs= [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: Postponed keyboard-interactive for
ouruser from x.x.x.x port 53332 ssh2 [preauth]
Feb  9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=ouruser
Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): received for
user ouruser: 9 (Authentication service cannot retrieve authentication info)
Feb  9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication failure
for ouruser from x.x.x.x
Feb  9 11:10:41 ourserver sshd[536086]: Failed keyboard-interactive/pam for
ouruser from x.x.x.x port 53332 ssh2
Feb  9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method keyboard-interactive [preauth]
Feb  9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1
[preauth]
Feb  9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive devs
 [preauth]
Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge:
user=ouruser devs= [preauth]
Feb  9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
[preauth]
Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
Feb  9 11:10:41 ourserver sshd[536086]: Postponed keyboard-interactive for
ouruser from x.x.x.x port 53332 ssh2 [preauth]


Feb  9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086.
Feb  9 11:10:34 ourserver sshd[536086]: debug1: Set
/proc/self/oom_score_adj to 0
Feb  9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 out 5
newsock 5 pipe 7 sock 8
Feb  9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after
dupping: 4, 4
Feb  9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port 53332
on 150.108.64.156 port 22 rdomain ""
Feb  9 11:10:34 ourserver sshd[536086]: debug1: Local version string
SSH-2.0-OpenSSH_8.4
Feb  9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol version
2.0, remote software version OpenSSH_8.4
Feb  9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 pat
OpenSSH* compat 0x04000000
Feb  9 11:10:35 ourserver sshd[536086]: debug1: SELinux support disabled
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid: 74/74
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT received
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm:
curve25519-sha256 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: host key algorithm:
ecdsa-sha2-nistp256 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server cipher:
[email protected] MAC: <implicit> compression: none [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client cipher:
[email protected] MAC: <implicit> compression: none [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
need=32 dh_need=32 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey out after 4294967296
blocks [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS sent
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: Sending SSH2_MSG_EXT_INFO
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting SSH2_MSG_NEWKEYS
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS received
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey in after 4294967296
blocks [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method none [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing for
"ouruser"
Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_RHOST to
"x.x.x.x"
Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_TTY to
"ssh"
Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method keyboard-interactive [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive devs
 [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge:
user=ouruser devs= [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
[preauth]
Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
Feb  9 11:10:35 ourserver sshd[536086]: Postponed keyboard-interactive for
ouruser from x.x.x.x port 53332 ssh2 [preauth]
Feb  9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=ouruser
Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): received for
user ouruser: 9 (Authentication service cannot retrieve authentication info)
Feb  9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication failure
for ouruser from x.x.x.x
Feb  9 11:10:41 ourserver sshd[536086]: Failed keyboard-interactive/pam for
ouruser from x.x.x.x port 53332 ssh2
Feb  9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for user
ouruser service ssh-connection method keyboard-interactive [preauth]
Feb  9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1
[preauth]
Feb  9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive devs
 [preauth]
Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge:
user=ouruser devs= [preauth]
Feb  9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
[preauth]
Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
Feb  9 11:10:41 ourserver sshd[536086]: Postponed keyboard-interactive for
ouruser from x.x.x.x port 53332 ssh2 [preauth]

With the NIS password the logs show this:
Feb  9 11:16:57 debug1: do_pam_account: called
Feb  9 11:16:57 ourserver sshd[536226]: debug1: PAM: num PAM env strings 2
Feb  9 11:16:57 ourserver sshd[536226]: Postponed keyboard-interactive/pam
for cai from 150.108.68.26 port 53646 ssh2 [preauth]
Feb  9 11:16:57 ourserver sshd[536226]: debug1: do_pam_account: called
Feb  9 11:16:57 ourserver sshd[536226]: Accepted keyboard-interactive/pam
for cai from 150.108.68.26 port 53646 ssh2
Feb  9 11:16:57 ourserver sshd[536226]: debug1: monitor_child_preauth: cai
has been authenticated by privileged process
Feb  9 11:16:57 ourserver sshd[536226]: debug1: monitor_read_log: child log
fd closed
Feb  9 11:16:57 ourserver sshd[536226]: debug1: audit_event: unhandled
event 2
Feb  9 11:16:57 ourserver sshd[536226]: debug1: temporarily_use_uid:
5879/200 (e=0/0)
Feb  9 11:16:57 ourserver sshd[536226]: debug1: ssh_gssapi_storecreds: Not
a GSSAPI mechanism
Feb  9 11:16:57 ourserver sshd[536226]: debug1: restore_uid: 0/0
Feb  9 11:16:57 ourserver sshd[536226]: debug1: SELinux support disabled
Feb  9 11:16:57 ourserver sshd[536226]: debug1: PAM: establishing
credentials
Feb  9 11:16:57 ourserver systemd[536237]: pam_unix(systemd-user:session):
session opened for user cai(uid=5879) by (uid=0)

What options should be set in /etc/ssh/sshd_config? Is sssd necessary for
this to work with the FreeIPA password?

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

[Freeipa-users] Re: using SSH with password authentication when NIS is still running with FreeIPA

Reply via email to