Robert Kudyba via FreeIPA-users wrote: > I tried this on another test server, and configured NIS for the users, > which are different. Same issue. All the verbose output adds a lot of > log noise but I'm hoping it provides a clue. > > ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > here is ssh -o PubkeyAuthentication=no -vvv -k ouruser@ourserver > OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS 8 Dec 2020 > debug1: Reading configuration data /etc/ssh/ssh_config > debug3: /etc/ssh/ssh_config line 55: Including file > /etc/ssh/ssh_config.d/50-redhat.conf depth 0 > debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf > debug2: checking match for 'final all' host ourserver originally ourserver > debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final' > debug2: match not found > debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file > /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) > debug1: Reading configuration data > /etc/crypto-policies/back-ends/openssh.config > debug3: gss kex names ok: > [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] > debug3: kex names ok: [curve25519-sha256,[email protected] > <mailto:[email protected]>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] > debug1: configuration requests final Match pass > debug1: re-parsing configuration > debug1: Reading configuration data /etc/ssh/ssh_config > debug3: /etc/ssh/ssh_config line 55: Including file > /etc/ssh/ssh_config.d/50-redhat.conf depth 0 > debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf > debug2: checking match for 'final all' host ourserver originally ourserver > debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final' > debug2: match found > debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file > /etc/crypto-policies/back-ends/openssh.config depth 1 > debug1: Reading configuration data > /etc/crypto-policies/back-ends/openssh.config > debug3: gss kex names ok: > [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] > debug3: kex names ok: [curve25519-sha256,[email protected] > <mailto:[email protected]>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] > debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> > '/root/.ssh/known_hosts' > debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> > '/root/.ssh/known_hosts2' > debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy > -p 22 ourserver > debug1: identity file /root/.ssh/id_rsa type 0 > debug1: identity file /root/.ssh/id_rsa-cert type -1 > debug1: identity file /root/.ssh/id_dsa type -1 > debug1: identity file /root/.ssh/id_dsa-cert type -1 > debug1: identity file /root/.ssh/id_ecdsa type -1 > debug1: identity file /root/.ssh/id_ecdsa-cert type -1 > debug1: identity file /root/.ssh/id_ecdsa_sk type -1 > debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 > debug1: identity file /root/.ssh/id_ed25519 type -1 > debug1: identity file /root/.ssh/id_ed25519-cert type -1 > debug1: identity file /root/.ssh/id_ed25519_sk type -1 > debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 > debug1: identity file /root/.ssh/id_xmss type -1 > debug1: identity file /root/.ssh/id_xmss-cert type -1 > debug1: Local version string SSH-2.0-OpenSSH_8.4 > debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4 > debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000 > debug2: fd 5 setting O_NONBLOCK > debug2: fd 4 setting O_NONBLOCK > debug1: Authenticating to ourserver:22 as 'ouruser' > debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" > debug3: record_hostkey: found key type ECDSA in file > /root/.ssh/known_hosts:31 > debug3: load_hostkeys: loaded 1 keys from ourserver > debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts" > debug3: order_hostkeyalgs: have matching best-preference key type > [email protected] > <mailto:[email protected]>, using > HostkeyAlgorithms verbatim > debug3: send packet: type 20 > debug1: SSH2_MSG_KEXINIT sent > debug3: receive packet: type 20 > debug1: SSH2_MSG_KEXINIT received > debug2: local client KEXINIT proposal > debug2: KEX algorithms: curve25519-sha256,[email protected] > <mailto:[email protected]>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c > debug2: host key algorithms: [email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected] > <mailto:[email protected]>,ssh-ed25519,[email protected] > <mailto:[email protected]>,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: [email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,aes256-ctr,[email protected] > <mailto:[email protected]>,aes128-ctr > debug2: ciphers stoc: [email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,aes256-ctr,[email protected] > <mailto:[email protected]>,aes128-ctr > debug2: MACs ctos: [email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,hmac-sha2-256,hmac-sha1,[email protected] > <mailto:[email protected]>,hmac-sha2-512 > debug2: MACs stoc: [email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,hmac-sha2-256,hmac-sha1,[email protected] > <mailto:[email protected]>,hmac-sha2-512 > debug2: compression ctos: none,[email protected] > <mailto:[email protected]>,zlib > debug2: compression stoc: none,[email protected] > <mailto:[email protected]>,zlib > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug2: peer server KEXINIT proposal > debug2: KEX algorithms: curve25519-sha256,[email protected] > <mailto:[email protected]>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 > debug2: host key algorithms: > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 > debug2: ciphers ctos: [email protected] > <mailto:[email protected]>,aes128-ctr,aes192-ctr,aes256-ctr,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]> > debug2: ciphers stoc: [email protected] > <mailto:[email protected]>,aes128-ctr,aes192-ctr,aes256-ctr,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]> > debug2: MACs ctos: [email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,hmac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: MACs stoc: [email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>,hmac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: compression ctos: none,[email protected] <mailto:[email protected]> > debug2: compression stoc: none,[email protected] <mailto:[email protected]> > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: curve25519-sha256 > debug1: kex: host key algorithm: ecdsa-sha2-nistp256 > debug1: kex: server->client cipher: [email protected] > <mailto:[email protected]> MAC: <implicit> compression: none > debug1: kex: client->server cipher: [email protected] > <mailto:[email protected]> MAC: <implicit> compression: none > debug1: kex: curve25519-sha256 need=32 dh_need=32 > debug1: kex: curve25519-sha256 need=32 dh_need=32 > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host key: ecdsa-sha2-nistp256 > SHA256:yVm8V2ODZo0nAuvr9k2ydTJv0RtOgkl8Sp5Mkmp/F0M > debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" > debug3: record_hostkey: found key type ECDSA in file > /root/.ssh/known_hosts:31 > debug3: load_hostkeys: loaded 1 keys from ourserver > debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts" > debug1: Host 'ourserver' is known and matches the ECDSA host key. > debug1: Found key in /root/.ssh/known_hosts:31 > debug3: send packet: type 21 > debug2: set_newkeys: mode 1 > debug1: rekey out after 4294967296 blocks > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug3: receive packet: type 21 > debug1: SSH2_MSG_NEWKEYS received > debug2: set_newkeys: mode 0 > debug1: rekey in after 4294967296 blocks > debug1: Will attempt key: /root/.ssh/id_rsa RSA > SHA256:Sena4XB1wVt7x+o55Y9EI5WnQIyZ/SLFk+t6tmBFMYA > debug1: Will attempt key: /root/.ssh/id_dsa > debug1: Will attempt key: /root/.ssh/id_ecdsa > debug1: Will attempt key: /root/.ssh/id_ecdsa_sk > debug1: Will attempt key: /root/.ssh/id_ed25519 > debug1: Will attempt key: /root/.ssh/id_ed25519_sk > debug1: Will attempt key: /root/.ssh/id_xmss > debug2: pubkey_prepare: done > debug3: send packet: type 5 > debug3: receive packet: type 7 > debug1: SSH2_MSG_EXT_INFO received > debug1: kex_input_ext_info: > server-sig-algs=<ssh-ed25519,[email protected] > <mailto:[email protected]>,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected] > <mailto:[email protected]>,[email protected] > <mailto:[email protected]>> > debug3: receive packet: type 6 > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug3: send packet: type 50 > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > debug3: preferred gssapi-with-mic,keyboard-interactive,password > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more information > Server host/[email protected] > <mailto:[email protected]> not found in Kerberos database > debug3: send packet: type 50 > debug2: we sent a gssapi-with-mic packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > debug2: we did not send a packet, disable method > debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > debug1: Next authentication method: keyboard-interactive > debug2: userauth_kbdint > debug3: send packet: type 50 > debug2: we sent a keyboard-interactive packet, wait for reply > debug3: receive packet: type 60 > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > > And here are the server logs from /var/log secure and you can see sssd > is being used: > Feb 10 14:36:24 ourserver sshd[3024290]: debug1: Forked child 3084339. > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Set > /proc/self/oom_score_adj to 0 > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: rexec start in 4 out 4 > newsock 4 pipe 6 sock 7 > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: inetd sockets after > dupping: 4, 4 > Feb 10 14:36:24 ourserver sshd[3084339]: Connection from x.x.x.x port > 34160 on 150.108.68.128 port 22 rdomain "" > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Local version string > SSH-2.0-OpenSSH_8.4 > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Remote protocol version > 2.0, remote software version OpenSSH_8.4 > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: match: OpenSSH_8.4 pat > OpenSSH* compat 0x04000000 > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SELinux support > disabled [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: permanently_set_uid: > 74/74 [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: list_hostkey_types: > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_KEXINIT sent > [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_KEXINIT > received [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: algorithm: > curve25519-sha256 [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: host key > algorithm: ecdsa-sha2-nistp256 [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: client->server > cipher: [email protected] <mailto:[email protected]> MAC: > <implicit> compression: none [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: server->client > cipher: [email protected] <mailto:[email protected]> MAC: > <implicit> compression: none [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: curve25519-sha256 > need=32 dh_need=32 [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: curve25519-sha256 > need=32 dh_need=32 [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: expecting > SSH2_MSG_KEX_ECDH_INIT [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: rekey out after > 4294967296 blocks [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_NEWKEYS sent > [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Sending > SSH2_MSG_EXT_INFO [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: expecting > SSH2_MSG_NEWKEYS [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_NEWKEYS > received [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: rekey in after > 4294967296 blocks [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: KEX done [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: userauth-request for > user ouruser service ssh-connection method none [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: attempt 0 failures 0 > [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: connection from x.x.x.x > matched 'Address 192.168.0.*,127.0.0.1,10.10.1.*' at line 158 > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: PAM: initializing for > "ouruser" > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: PAM: setting PAM_RHOST > to "x.x.x.x" > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: PAM: setting PAM_TTY to > "ssh" > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: userauth-request for > user ouruser service ssh-connection method gssapi-with-mic [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: attempt 1 failures 0 > [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: userauth-request for > user ouruser service ssh-connection method keyboard-interactive [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: attempt 2 failures 0 > [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: keyboard-interactive > devs [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: auth2_challenge: > user=ouruser devs= [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kbdint_alloc: devices > 'pam' [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: debug1: auth2_challenge_start: > trying authentication method 'pam' [preauth] > Feb 10 14:36:24 ourserver sshd[3084339]: Postponed keyboard-interactive > for ouruser from x.x.x.x port 34160 ssh2 [preauth] > Feb 10 14:36:28 ourserver sshd[3084344]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=x.x.x.x user=ouruser > Feb 10 14:36:28 ourserver proxy_child: pam_unix(sssd-shadowutils:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=x.x.x.x user=ouruser > Feb 10 14:36:31 ourserver sshd[3084344]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=x.x.x.x user=ouruser > Feb 10 14:36:31 ourserver sshd[3084344]: pam_sss(sshd:auth): received > for user ouruser: 7 (Authentication failure) > Feb 10 14:36:33 ourserver sshd[3084339]: error: PAM: Authentication > failure for ouruser from x.x.x.x > Feb 10 14:36:33 ourserver sshd[3084339]: Failed keyboard-interactive/pam > for ouruser from x.x.x.x port 34160 ssh2 > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: userauth-request for > user ouruser service ssh-connection method keyboard-interactive [preauth] > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: attempt 3 failures 1 > [preauth] > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: keyboard-interactive > devs [preauth] > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: auth2_challenge: > user=ouruser devs= [preauth] > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: kbdint_alloc: devices > 'pam' [preauth] > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: auth2_challenge_start: > trying authentication method 'pam' [preauth] > Feb 10 14:36:33 ourserver sshd[3084339]: Postponed keyboard-interactive > for ouruser from x.x.x.x port 34160 ssh2 [preauth] > > I verified the FreeIPA password in both the GUI and via ipa user-mod. > The only time the user is able to log in is using the NIS > password. ldapsearch -x -D and kinit username work successfully. klist > displays the user details correctly. > > I can see that the installation script edits /etc/ssh/sshd_config with: > Include /etc/ssh/sshd_config.d/04-ipa.conf > > which has: > PubkeyAuthentication yes > KerberosAuthentication no > GSSAPIAuthentication yes > UsePAM yes > ChallengeResponseAuthentication yes > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > AuthorizedKeysCommandUser nobody > > When the NIS password is used successfully here are the server logs: > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for > user ouruser service ssh-connection method none [preauth] > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 0 failures 0 > [preauth] > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: connection from x.x.x.x > matched 'Address 192.168.0.*,127.0.0.1,10.10.1.*' at line 158 > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: initializing for > "ouruser" > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: setting PAM_RHOST > to "x.x.x.x" > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: setting PAM_TTY to > "ssh" > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for > user ouruser service ssh-connection method gssapi-with-mic [preauth] > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 1 failures 0 > [preauth] > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for > user ouruser service ssh-connection method keyboard-interactive [preauth] > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 2 failures 0 > [preauth] > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: keyboard-interactive > devs [preauth] > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: auth2_challenge: > user=ouruser devs= [preauth] > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: kbdint_alloc: devices > 'pam' [preauth] > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: auth2_challenge_start: > trying authentication method 'pam' [preauth] > Feb 10 14:56:39 ourserver sshd[3085147]: Postponed keyboard-interactive > for ouruser from x.x.x.x port 35046 ssh2 [preauth] > Feb 10 14:56:42 ourserver sshd[3085152]: debug1: do_pam_account: called > Feb 10 14:56:42 ourserver sshd[3085147]: debug1: PAM: num PAM env strings 2 > Feb 10 14:56:42 ourserver sshd[3085147]: Postponed > keyboard-interactive/pam for ouruser from x.x.x.x port 35046 ssh2 [preauth] > Feb 10 14:56:42 ourserver sshd[3085147]: debug1: do_pam_account: called > > I do see the error that sticks out is " Server > host/[email protected] <mailto:[email protected]> > not found in Kerberos database" but we have students that log in from > all over the world so do all clients need to be added? iptables, > firewalld, and nftables are off and disabled. No hbac rules:
What is ourserver.edu? In order to log in using Kerberos/GSSAPI then the machine acting as the server needs to be enrolled as an IPA client so it has a keytab. rob > ipa hbacrule-find > -------------------- > 2 HBAC rules matched > -------------------- > Rule name: allow_all > User category: all > Host category: all > Service category: all > Description: Allow all users to access any host from any host > Enabled: TRUE > > Rule name: allow_systemd-user > User category: all > Host category: all > Description: Allow pam_systemd to run [email protected] to create a system > user session > Enabled: TRUE > ---------------------------- > Number of entries returned 2 > > Am I missing something obvious to regulars? > > > On Tue, Feb 9, 2021 at 12:34 PM Robert Kudyba <[email protected] > <mailto:[email protected]>> wrote: > > On Tue, Feb 9, 2021 at 12:20 PM Sumit Bose via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > On Tue, Feb 09, 2021 at 11:33:15AM -0500, Robert Kudyba via > FreeIPA-users wrote: > > > > > > looks like sshd is trying to read > /home/ouruser/.ssh/authorized_keys and > > > is stuck. Can you read this file from the command line? Is > it e.g. on > > > NFS which might not be properly mounted? > > > > > > Does it work if you skip pubkey authentication > > > > > > ssh -o PubkeyAuthentication=no -vv -k ouruser@ourserver > > > > > > bye, > > > Sumit > > > > > > > Thanks for the suggestion. What happens is the NIS password > works. The > > FreeIPA password, which I update with: > > ipa user-mod ouruser --setattr "userpassword=xxxx", fails with > the below > > errors/logs > > > > Feb 9 11:10:34 ourserver sshd[381563]: debug1: Forked child > 536086. > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Set > > /proc/self/oom_score_adj to 0 > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: rexec start in > 5 out 5 > > newsock 5 pipe 7 sock 8 > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets > after > > dupping: 4, 4 > > Feb 9 11:10:34 ourserver sshd[536086]: Connection from > x.x.x.x port 53332 > > on 150.108.64.156 port 22 rdomain "" > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Local version > string > > SSH-2.0-OpenSSH_8.4 > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Remote > protocol version > > 2.0, remote software version OpenSSH_8.4 > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: match: > OpenSSH_8.4 pat > > OpenSSH* compat 0x04000000 > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SELinux > support disabled > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > permanently_set_uid: 74/74 > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > list_hostkey_types: > > > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > SSH2_MSG_KEXINIT sent > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > SSH2_MSG_KEXINIT received > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm: > > curve25519-sha256 [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: host key > algorithm: > > ecdsa-sha2-nistp256 [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > client->server cipher: > > [email protected] <mailto:[email protected]> MAC: > <implicit> compression: none [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > server->client cipher: > > [email protected] <mailto:[email protected]> MAC: > <implicit> compression: none [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > curve25519-sha256 > > need=32 dh_need=32 [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > curve25519-sha256 > > need=32 dh_need=32 [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting > > SSH2_MSG_KEX_ECDH_INIT [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey out > after 4294967296 > > blocks [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > SSH2_MSG_NEWKEYS sent > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: Sending > SSH2_MSG_EXT_INFO > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting > SSH2_MSG_NEWKEYS > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > SSH2_MSG_NEWKEYS received > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey in after > 4294967296 > > blocks [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > userauth-request for user > > ouruser service ssh-connection method none [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 > failures 0 > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: > initializing for > > "ouruser" > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting > PAM_RHOST to > > "x.x.x.x" > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting > PAM_TTY to > > "ssh" > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > userauth-request for user > > ouruser service ssh-connection method keyboard-interactive > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 > failures 0 > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > keyboard-interactive devs > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge: > > user=ouruser devs= [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: > devices 'pam' > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > auth2_challenge_start: > > trying authentication method 'pam' [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: Postponed > keyboard-interactive for > > ouruser from x.x.x.x port 53332 ssh2 [preauth] > > Feb 9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=ouruser > > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=ouruser > > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): > received for > > user ouruser: 9 (Authentication service cannot retrieve > authentication info) > > Feb 9 11:10:41 ourserver sshd[536086]: error: PAM: > Authentication failure > > for ouruser from x.x.x.x > > Feb 9 11:10:41 ourserver sshd[536086]: Failed > keyboard-interactive/pam for > > ouruser from x.x.x.x port 53332 ssh2 > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: > userauth-request for user > > ouruser service ssh-connection method keyboard-interactive > [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 > failures 1 > > [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: > keyboard-interactive devs > > [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge: > > user=ouruser devs= [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: > devices 'pam' > > [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: > auth2_challenge_start: > > trying authentication method 'pam' [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: Postponed > keyboard-interactive for > > ouruser from x.x.x.x port 53332 ssh2 [preauth] > > > > > > Feb 9 11:10:34 ourserver sshd[381563]: debug1: Forked child > 536086. > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Set > > /proc/self/oom_score_adj to 0 > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: rexec start in > 5 out 5 > > newsock 5 pipe 7 sock 8 > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets > after > > dupping: 4, 4 > > Feb 9 11:10:34 ourserver sshd[536086]: Connection from > x.x.x.x port 53332 > > on 150.108.64.156 port 22 rdomain "" > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Local version > string > > SSH-2.0-OpenSSH_8.4 > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Remote > protocol version > > 2.0, remote software version OpenSSH_8.4 > > Feb 9 11:10:34 ourserver sshd[536086]: debug1: match: > OpenSSH_8.4 pat > > OpenSSH* compat 0x04000000 > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SELinux > support disabled > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > permanently_set_uid: 74/74 > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > list_hostkey_types: > > > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > SSH2_MSG_KEXINIT sent > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > SSH2_MSG_KEXINIT received > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm: > > curve25519-sha256 [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: host key > algorithm: > > ecdsa-sha2-nistp256 [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > client->server cipher: > > [email protected] <mailto:[email protected]> MAC: > <implicit> compression: none [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > server->client cipher: > > [email protected] <mailto:[email protected]> MAC: > <implicit> compression: none [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > curve25519-sha256 > > need=32 dh_need=32 [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > curve25519-sha256 > > need=32 dh_need=32 [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting > > SSH2_MSG_KEX_ECDH_INIT [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey out > after 4294967296 > > blocks [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > SSH2_MSG_NEWKEYS sent > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: Sending > SSH2_MSG_EXT_INFO > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting > SSH2_MSG_NEWKEYS > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > SSH2_MSG_NEWKEYS received > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey in after > 4294967296 > > blocks [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > userauth-request for user > > ouruser service ssh-connection method none [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 > failures 0 > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: > initializing for > > "ouruser" > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting > PAM_RHOST to > > "x.x.x.x" > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting > PAM_TTY to > > "ssh" > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > userauth-request for user > > ouruser service ssh-connection method keyboard-interactive > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 > failures 0 > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > keyboard-interactive devs > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge: > > user=ouruser devs= [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: > devices 'pam' > > [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > auth2_challenge_start: > > trying authentication method 'pam' [preauth] > > Feb 9 11:10:35 ourserver sshd[536086]: Postponed > keyboard-interactive for > > ouruser from x.x.x.x port 53332 ssh2 [preauth] > > Feb 9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=ouruser > > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=ouruser > > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): > received for > > user ouruser: 9 (Authentication service cannot retrieve > authentication info) > > Feb 9 11:10:41 ourserver sshd[536086]: error: PAM: > Authentication failure > > for ouruser from x.x.x.x > > Feb 9 11:10:41 ourserver sshd[536086]: Failed > keyboard-interactive/pam for > > ouruser from x.x.x.x port 53332 ssh2 > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: > userauth-request for user > > ouruser service ssh-connection method keyboard-interactive > [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 > failures 1 > > [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: > keyboard-interactive devs > > [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge: > > user=ouruser devs= [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: > devices 'pam' > > [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: debug1: > auth2_challenge_start: > > trying authentication method 'pam' [preauth] > > Feb 9 11:10:41 ourserver sshd[536086]: Postponed > keyboard-interactive for > > ouruser from x.x.x.x port 53332 ssh2 [preauth] > > > > With the NIS password the logs show this: > > Hi, > > did you drop what happened before or is this the only debug > output for > the NIS password? > > > The below here are just logs from /var/log/secure for the user that > successfully logs in with his/her NIS password. > > By "drop what happened before" do you mean the original log snip? > Yes I removed those in an attempt to shorten the message content. > > > Feb 9 11:16:57 debug1: do_pam_account: called > > Feb 9 11:16:57 ourserver sshd[536226]: debug1: PAM: num PAM > env strings 2 > > Feb 9 11:16:57 ourserver sshd[536226]: Postponed > keyboard-interactive/pam > > for cai from 150.108.68.26 port 53646 ssh2 [preauth] > > Feb 9 11:16:57 ourserver sshd[536226]: debug1: > do_pam_account: called > > Feb 9 11:16:57 ourserver sshd[536226]: Accepted > keyboard-interactive/pam > > for cai from 150.108.68.26 port 53646 ssh2 > > Feb 9 11:16:57 ourserver sshd[536226]: debug1: > monitor_child_preauth: cai > > has been authenticated by privileged process > > Feb 9 11:16:57 ourserver sshd[536226]: debug1: > monitor_read_log: child log > > fd closed > > Feb 9 11:16:57 ourserver sshd[536226]: debug1: audit_event: > unhandled > > event 2 > > Feb 9 11:16:57 ourserver sshd[536226]: debug1: > temporarily_use_uid: > > 5879/200 (e=0/0) > > Feb 9 11:16:57 ourserver sshd[536226]: debug1: > ssh_gssapi_storecreds: Not > > a GSSAPI mechanism > > Feb 9 11:16:57 ourserver sshd[536226]: debug1: restore_uid: 0/0 > > Feb 9 11:16:57 ourserver sshd[536226]: debug1: SELinux > support disabled > > Feb 9 11:16:57 ourserver sshd[536226]: debug1: PAM: establishing > > credentials > > Feb 9 11:16:57 ourserver systemd[536237]: > pam_unix(systemd-user:session): > > session opened for user cai(uid=5879) by (uid=0) > > > > What options should be set in /etc/ssh/sshd_config? Is sssd > necessary for > > this to work with the FreeIPA password > > > > Yes, SSSD must be configured and runnnig. ssd does appear to be > working fine and in /etc/ipa/ca.crt and the service is running > correctly: > > [domain/ourdomain.edu <http://ourdomain.edu/>] > > id_provider = ipa > ipa_server_mode = True > ipa_server = ourdomain.edu <http://ourdomain.edu/> > ipa_domain = ourdomain.edu <http://ourdomain.edu/> > ipa_hostname = ourdomain.edu <http://ourdomain.edu/> > auth_provider = ipa > chpass_provider = ipa > access_provider = ipa > cache_credentials = True > ldap_tls_cacert = /etc/ipa/ca.crt > krb5_store_password_if_offline = True > [sssd] > services = nss, pam, ifp, ssh, sudo > > domains = ourdomain.edu <http://ourdomain.edu/> > [nss] > homedir_substring = /home > memcache_timeout = 600 > > [ifp] > allowed_uids = ipaapi, root > > systemctl status sssd > * sssd.service - System Security Services Daemon > Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; > vendor preset: enabled) > Active: active (running) since Fri 2021-01-29 14:31:34 EST; 1 > weeks 3 days ago > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
