I tried this on another test server, and configured NIS for the users, which are different. Same issue. All the verbose output adds a lot of log noise but I'm hoping it provides a clue.
ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful here is ssh -o PubkeyAuthentication=no -vvv -k ouruser@ourserver OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS 8 Dec 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug2: checking match for 'final all' host ourserver originally ourserver debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final' debug2: match not found debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: kex names ok: [curve25519-sha256,[email protected] ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug1: configuration requests final Match pass debug1: re-parsing configuration debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug2: checking match for 'final all' host ourserver originally ourserver debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final' debug2: match found debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: kex names ok: [curve25519-sha256,[email protected] ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2' debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 ourserver debug1: identity file /root/.ssh/id_rsa type 0 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4 debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000 debug2: fd 5 setting O_NONBLOCK debug2: fd 4 setting O_NONBLOCK debug1: Authenticating to ourserver:22 as 'ouruser' debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:31 debug3: load_hostkeys: loaded 1 keys from ourserver debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts" debug3: order_hostkeyalgs: have matching best-preference key type [email protected], using HostkeyAlgorithms verbatim debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,[email protected] ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c debug2: host key algorithms: [email protected], [email protected], [email protected], [email protected],[email protected] ,[email protected],[email protected], [email protected],[email protected] ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, [email protected],ssh-ed25519,[email protected] ,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: [email protected],[email protected] ,aes256-ctr,[email protected],aes128-ctr debug2: ciphers stoc: [email protected],[email protected] ,aes256-ctr,[email protected],aes128-ctr debug2: MACs ctos: [email protected],[email protected], [email protected],[email protected] ,hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 debug2: MACs stoc: [email protected],[email protected], [email protected],[email protected] ,hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 debug2: compression ctos: none,[email protected],zlib debug2: compression stoc: none,[email protected],zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,[email protected] ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: [email protected] ,aes128-ctr,aes192-ctr,aes256-ctr,[email protected], [email protected] debug2: ciphers stoc: [email protected] ,aes128-ctr,aes192-ctr,aes256-ctr,[email protected], [email protected] debug2: MACs ctos: [email protected],[email protected], [email protected],[email protected], [email protected],[email protected],[email protected] ,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected], [email protected],[email protected], [email protected],[email protected],[email protected] ,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,[email protected] debug2: compression stoc: none,[email protected] debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: kex: curve25519-sha256 need=32 dh_need=32 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:yVm8V2ODZo0nAuvr9k2ydTJv0RtOgkl8Sp5Mkmp/F0M debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:31 debug3: load_hostkeys: loaded 1 keys from ourserver debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts" debug1: Host 'ourserver' is known and matches the ECDSA host key. debug1: Found key in /root/.ssh/known_hosts:31 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:Sena4XB1wVt7x+o55Y9EI5WnQIyZ/SLFk+t6tmBFMYA debug1: Will attempt key: /root/.ssh/id_dsa debug1: Will attempt key: /root/.ssh/id_ecdsa debug1: Will attempt key: /root/.ssh/id_ecdsa_sk debug1: Will attempt key: /root/.ssh/id_ed25519 debug1: Will attempt key: /root/.ssh/id_ed25519_sk debug1: Will attempt key: /root/.ssh/id_xmss debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519, [email protected] ,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, [email protected], [email protected]> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug3: preferred gssapi-with-mic,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server host/[email protected] not found in Kerberos database debug3: send packet: type 50 debug2: we sent a gssapi-with-mic packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 And here are the server logs from /var/log secure and you can see sssd is being used: Feb 10 14:36:24 ourserver sshd[3024290]: debug1: Forked child 3084339. Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Set /proc/self/oom_score_adj to 0 Feb 10 14:36:24 ourserver sshd[3084339]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 Feb 10 14:36:24 ourserver sshd[3084339]: debug1: inetd sockets after dupping: 4, 4 Feb 10 14:36:24 ourserver sshd[3084339]: Connection from x.x.x.x port 34160 on 150.108.68.128 port 22 rdomain "" Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Local version string SSH-2.0-OpenSSH_8.4 Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4 Feb 10 14:36:24 ourserver sshd[3084339]: debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000 Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SELinux support disabled [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: permanently_set_uid: 74/74 [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_KEXINIT sent [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_KEXINIT received [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: algorithm: curve25519-sha256 [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: rekey out after 4294967296 blocks [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_NEWKEYS sent [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Sending SSH2_MSG_EXT_INFO [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_NEWKEYS received [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: rekey in after 4294967296 blocks [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: KEX done [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: userauth-request for user ouruser service ssh-connection method none [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: attempt 0 failures 0 [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: connection from x.x.x.x matched 'Address 192.168.0.*,127.0.0.1,10.10.1.*' at line 158 Feb 10 14:36:24 ourserver sshd[3084339]: debug1: PAM: initializing for "ouruser" Feb 10 14:36:24 ourserver sshd[3084339]: debug1: PAM: setting PAM_RHOST to "x.x.x.x" Feb 10 14:36:24 ourserver sshd[3084339]: debug1: PAM: setting PAM_TTY to "ssh" Feb 10 14:36:24 ourserver sshd[3084339]: debug1: userauth-request for user ouruser service ssh-connection method gssapi-with-mic [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: attempt 1 failures 0 [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: attempt 2 failures 0 [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: keyboard-interactive devs [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: auth2_challenge: user=ouruser devs= [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kbdint_alloc: devices 'pam' [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Feb 10 14:36:24 ourserver sshd[3084339]: Postponed keyboard-interactive for ouruser from x.x.x.x port 34160 ssh2 [preauth] Feb 10 14:36:28 ourserver sshd[3084344]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser Feb 10 14:36:28 ourserver proxy_child: pam_unix(sssd-shadowutils:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser Feb 10 14:36:31 ourserver sshd[3084344]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser Feb 10 14:36:31 ourserver sshd[3084344]: pam_sss(sshd:auth): received for user ouruser: 7 (Authentication failure) Feb 10 14:36:33 ourserver sshd[3084339]: error: PAM: Authentication failure for ouruser from x.x.x.x Feb 10 14:36:33 ourserver sshd[3084339]: Failed keyboard-interactive/pam for ouruser from x.x.x.x port 34160 ssh2 Feb 10 14:36:33 ourserver sshd[3084339]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth] Feb 10 14:36:33 ourserver sshd[3084339]: debug1: attempt 3 failures 1 [preauth] Feb 10 14:36:33 ourserver sshd[3084339]: debug1: keyboard-interactive devs [preauth] Feb 10 14:36:33 ourserver sshd[3084339]: debug1: auth2_challenge: user=ouruser devs= [preauth] Feb 10 14:36:33 ourserver sshd[3084339]: debug1: kbdint_alloc: devices 'pam' [preauth] Feb 10 14:36:33 ourserver sshd[3084339]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Feb 10 14:36:33 ourserver sshd[3084339]: Postponed keyboard-interactive for ouruser from x.x.x.x port 34160 ssh2 [preauth] I verified the FreeIPA password in both the GUI and via ipa user-mod. The only time the user is able to log in is using the NIS password. ldapsearch -x -D and kinit username work successfully. klist displays the user details correctly. I can see that the installation script edits /etc/ssh/sshd_config with: Include /etc/ssh/sshd_config.d/04-ipa.conf which has: PubkeyAuthentication yes KerberosAuthentication no GSSAPIAuthentication yes UsePAM yes ChallengeResponseAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody When the NIS password is used successfully here are the server logs: Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for user ouruser service ssh-connection method none [preauth] Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 0 failures 0 [preauth] Feb 10 14:56:39 ourserver sshd[3085147]: debug1: connection from x.x.x.x matched 'Address 192.168.0.*,127.0.0.1,10.10.1.*' at line 158 Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: initializing for "ouruser" Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: setting PAM_RHOST to "x.x.x.x" Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: setting PAM_TTY to "ssh" Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for user ouruser service ssh-connection method gssapi-with-mic [preauth] Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 1 failures 0 [preauth] Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth] Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 2 failures 0 [preauth] Feb 10 14:56:39 ourserver sshd[3085147]: debug1: keyboard-interactive devs [preauth] Feb 10 14:56:39 ourserver sshd[3085147]: debug1: auth2_challenge: user=ouruser devs= [preauth] Feb 10 14:56:39 ourserver sshd[3085147]: debug1: kbdint_alloc: devices 'pam' [preauth] Feb 10 14:56:39 ourserver sshd[3085147]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Feb 10 14:56:39 ourserver sshd[3085147]: Postponed keyboard-interactive for ouruser from x.x.x.x port 35046 ssh2 [preauth] Feb 10 14:56:42 ourserver sshd[3085152]: debug1: do_pam_account: called Feb 10 14:56:42 ourserver sshd[3085147]: debug1: PAM: num PAM env strings 2 Feb 10 14:56:42 ourserver sshd[3085147]: Postponed keyboard-interactive/pam for ouruser from x.x.x.x port 35046 ssh2 [preauth] Feb 10 14:56:42 ourserver sshd[3085147]: debug1: do_pam_account: called I do see the error that sticks out is " Server host/ [email protected] not found in Kerberos database" but we have students that log in from all over the world so do all clients need to be added? iptables, firewalld, and nftables are off and disabled. No hbac rules: ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE Rule name: allow_systemd-user User category: all Host category: all Description: Allow pam_systemd to run [email protected] to create a system user session Enabled: TRUE ---------------------------- Number of entries returned 2 Am I missing something obvious to regulars? On Tue, Feb 9, 2021 at 12:34 PM Robert Kudyba <[email protected]> wrote: > On Tue, Feb 9, 2021 at 12:20 PM Sumit Bose via FreeIPA-users < > [email protected]> wrote: > >> On Tue, Feb 09, 2021 at 11:33:15AM -0500, Robert Kudyba via FreeIPA-users >> wrote: >> > > >> > > looks like sshd is trying to read /home/ouruser/.ssh/authorized_keys >> and >> > > is stuck. Can you read this file from the command line? Is it e.g. on >> > > NFS which might not be properly mounted? >> > > >> > > Does it work if you skip pubkey authentication >> > > >> > > ssh -o PubkeyAuthentication=no -vv -k ouruser@ourserver >> > > >> > > bye, >> > > Sumit >> > > >> > >> > Thanks for the suggestion. What happens is the NIS password works. The >> > FreeIPA password, which I update with: >> > ipa user-mod ouruser --setattr "userpassword=xxxx", fails with the below >> > errors/logs >> > >> > Feb 9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086. >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Set >> > /proc/self/oom_score_adj to 0 >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 out 5 >> > newsock 5 pipe 7 sock 8 >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after >> > dupping: 4, 4 >> > Feb 9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port >> 53332 >> > on 150.108.64.156 port 22 rdomain "" >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Local version string >> > SSH-2.0-OpenSSH_8.4 >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol version >> > 2.0, remote software version OpenSSH_8.4 >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 pat >> > OpenSSH* compat 0x04000000 >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SELinux support disabled >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid: >> 74/74 >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types: >> > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 >> [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT sent >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT >> received >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm: >> > curve25519-sha256 [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: host key algorithm: >> > ecdsa-sha2-nistp256 [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server >> cipher: >> > [email protected] MAC: <implicit> compression: none [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client >> cipher: >> > [email protected] MAC: <implicit> compression: none [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256 >> > need=32 dh_need=32 [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256 >> > need=32 dh_need=32 [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting >> > SSH2_MSG_KEX_ECDH_INIT [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey out after >> 4294967296 >> > blocks [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS sent >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: Sending >> SSH2_MSG_EXT_INFO >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting >> SSH2_MSG_NEWKEYS >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS >> received >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey in after >> 4294967296 >> > blocks [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for >> user >> > ouruser service ssh-connection method none [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0 >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing for >> > "ouruser" >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_RHOST >> to >> > "x.x.x.x" >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_TTY to >> > "ssh" >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for >> user >> > ouruser service ssh-connection method keyboard-interactive [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0 >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive >> devs >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge: >> > user=ouruser devs= [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: devices >> 'pam' >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge_start: >> > trying authentication method 'pam' [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: Postponed keyboard-interactive >> for >> > ouruser from x.x.x.x port 53332 ssh2 [preauth] >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): >> authentication >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x >> user=ouruser >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): >> authentication >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): received for >> > user ouruser: 9 (Authentication service cannot retrieve authentication >> info) >> > Feb 9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication >> failure >> > for ouruser from x.x.x.x >> > Feb 9 11:10:41 ourserver sshd[536086]: Failed keyboard-interactive/pam >> for >> > ouruser from x.x.x.x port 53332 ssh2 >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for >> user >> > ouruser service ssh-connection method keyboard-interactive [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1 >> > [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive >> devs >> > [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge: >> > user=ouruser devs= [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: devices >> 'pam' >> > [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge_start: >> > trying authentication method 'pam' [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: Postponed keyboard-interactive >> for >> > ouruser from x.x.x.x port 53332 ssh2 [preauth] >> > >> > >> > Feb 9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086. >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Set >> > /proc/self/oom_score_adj to 0 >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 out 5 >> > newsock 5 pipe 7 sock 8 >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after >> > dupping: 4, 4 >> > Feb 9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port >> 53332 >> > on 150.108.64.156 port 22 rdomain "" >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Local version string >> > SSH-2.0-OpenSSH_8.4 >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol version >> > 2.0, remote software version OpenSSH_8.4 >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 pat >> > OpenSSH* compat 0x04000000 >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SELinux support disabled >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid: >> 74/74 >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types: >> > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 >> [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT sent >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT >> received >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm: >> > curve25519-sha256 [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: host key algorithm: >> > ecdsa-sha2-nistp256 [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server >> cipher: >> > [email protected] MAC: <implicit> compression: none [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client >> cipher: >> > [email protected] MAC: <implicit> compression: none [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256 >> > need=32 dh_need=32 [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256 >> > need=32 dh_need=32 [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting >> > SSH2_MSG_KEX_ECDH_INIT [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey out after >> 4294967296 >> > blocks [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS sent >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: Sending >> SSH2_MSG_EXT_INFO >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting >> SSH2_MSG_NEWKEYS >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS >> received >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey in after >> 4294967296 >> > blocks [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for >> user >> > ouruser service ssh-connection method none [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0 >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing for >> > "ouruser" >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_RHOST >> to >> > "x.x.x.x" >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_TTY to >> > "ssh" >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for >> user >> > ouruser service ssh-connection method keyboard-interactive [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0 >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive >> devs >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge: >> > user=ouruser devs= [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: devices >> 'pam' >> > [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge_start: >> > trying authentication method 'pam' [preauth] >> > Feb 9 11:10:35 ourserver sshd[536086]: Postponed keyboard-interactive >> for >> > ouruser from x.x.x.x port 53332 ssh2 [preauth] >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): >> authentication >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x >> user=ouruser >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): >> authentication >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): received for >> > user ouruser: 9 (Authentication service cannot retrieve authentication >> info) >> > Feb 9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication >> failure >> > for ouruser from x.x.x.x >> > Feb 9 11:10:41 ourserver sshd[536086]: Failed keyboard-interactive/pam >> for >> > ouruser from x.x.x.x port 53332 ssh2 >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for >> user >> > ouruser service ssh-connection method keyboard-interactive [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1 >> > [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive >> devs >> > [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge: >> > user=ouruser devs= [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: devices >> 'pam' >> > [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge_start: >> > trying authentication method 'pam' [preauth] >> > Feb 9 11:10:41 ourserver sshd[536086]: Postponed keyboard-interactive >> for >> > ouruser from x.x.x.x port 53332 ssh2 [preauth] >> > >> > With the NIS password the logs show this: >> >> Hi, >> >> did you drop what happened before or is this the only debug output for >> the NIS password? >> > > The below here are just logs from /var/log/secure for the user that > successfully logs in with his/her NIS password. > > By "drop what happened before" do you mean the original log snip? Yes I > removed those in an attempt to shorten the message content. > > > Feb 9 11:16:57 debug1: do_pam_account: called >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: PAM: num PAM env >> strings 2 >> > Feb 9 11:16:57 ourserver sshd[536226]: Postponed >> keyboard-interactive/pam >> > for cai from 150.108.68.26 port 53646 ssh2 [preauth] >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: do_pam_account: called >> > Feb 9 11:16:57 ourserver sshd[536226]: Accepted >> keyboard-interactive/pam >> > for cai from 150.108.68.26 port 53646 ssh2 >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: monitor_child_preauth: >> cai >> > has been authenticated by privileged process >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: monitor_read_log: child >> log >> > fd closed >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: audit_event: unhandled >> > event 2 >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: temporarily_use_uid: >> > 5879/200 (e=0/0) >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: ssh_gssapi_storecreds: >> Not >> > a GSSAPI mechanism >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: restore_uid: 0/0 >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: SELinux support disabled >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: PAM: establishing >> > credentials >> > Feb 9 11:16:57 ourserver systemd[536237]: >> pam_unix(systemd-user:session): >> > session opened for user cai(uid=5879) by (uid=0) >> > >> > What options should be set in /etc/ssh/sshd_config? Is sssd necessary >> for >> > this to work with the FreeIPA password >> > > > Yes, SSSD must be configured and runnnig. ssd does appear to be working > fine and in /etc/ipa/ca.crt and the service is running correctly: > > [domain/ourdomain.edu] > > id_provider = ipa > ipa_server_mode = True > ipa_server = ourdomain.edu > ipa_domain = ourdomain.edu > ipa_hostname = ourdomain.edu > auth_provider = ipa > chpass_provider = ipa > access_provider = ipa > cache_credentials = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_store_password_if_offline = True > [sssd] > services = nss, pam, ifp, ssh, sudo > > domains = ourdomain.edu > [nss] > homedir_substring = /home > memcache_timeout = 600 > > [ifp] > allowed_uids = ipaapi, root > > systemctl status sssd > * sssd.service - System Security Services Daemon > Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor > preset: enabled) > Active: active (running) since Fri 2021-01-29 14:31:34 EST; 1 weeks 3 > days ago > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
