> > What is ourserver.edu? In order to log in using Kerberos/GSSAPI then the > machine acting as the server needs to be enrolled as an IPA client so it > has a keytab. > rob
OK I added a Fedora server as a client. From ipa host-show client.ourserver.edu Host name: client.ourserver.edu Platform: x86_64 Operating system: 5.10.13-200.fc33.x86_64 Principal name: host/[email protected] Principal alias: host/[email protected] SSH public key fingerprint: SHA256:xxx(ecdsa-sha2-nistp256), SHA256:xxx (ssh-ed25519), SHA256:xxx (ssh-rsa) Password: False Keytab: True Managed by: client.ourserver.edu ssh -k still fails. I created a new user in via ipa user-add and that user also fails even with a su -: su: user testuser does not exist or the user entry does not contain all the required fields Feb 11 15:07:21 ourserver sshd[609424]: debug1: rekey out after 4294967296 blocks [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: SSH2_MSG_NEWKEYS sent [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: Sending SSH2_MSG_EXT_INFO [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: SSH2_MSG_NEWKEYS received [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: rekey in after 4294967296 blocks [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: KEX done [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: userauth-request for user yume service ssh-connection method none [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: attempt 0 failures 0 [preauth] Feb 11 15:07:21 ourserver sshd[609424]: Invalid user testuser from x.x.x.x port 36264 Feb 11 15:07:21 ourserver sshd[609424]: debug1: PAM: initializing for "testuser" Feb 11 15:07:21 ourserver sshd[609424]: debug1: PAM: setting PAM_RHOST to "x.x.x.x" Feb 11 15:07:21 ourserver sshd[609424]: debug1: PAM: setting PAM_TTY to "ssh" Feb 11 15:07:21 ourserver sshd[609424]: debug1: userauth-request for user testuser service ssh-connection method keyboard-interactive [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: attempt 1 failures 0 [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: keyboard-interactive devs [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: auth2_challenge: user=testuser devs= [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: kbdint_alloc: devices 'pam' [preauth] Feb 11 15:07:21 ourserver sshd[609424]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Feb 11 15:07:21 ourserver sshd[609424]: Postponed keyboard-interactive for invalid user testuser from x.x.x.x port 36264 ssh2 [preauth] Feb 11 15:07:24 ourserver sshd[609424]: Connection closed by invalid user testuser x.x.x.x port 36264 [preauth] are you sure the sssd.conf you have send earlier it the right one? > SSSD'S 'proxy_child' should be only be called if the proxy provider is > configured? > > bye, > Sumit > Sorry, you are correct. I'm testing between 2 test NIS servers to see if there's a difference in behavior but the same problem, ssh -k never works with the FreeIPA/Kerberos password > > > Feb 10 14:36:31 ourserver sshd[3084344]: pam_sss(sshd:auth): > authentication > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser > > Feb 10 14:36:31 ourserver sshd[3084344]: pam_sss(sshd:auth): received for > > user ouruser: 7 (Authentication failure) > > Feb 10 14:36:33 ourserver sshd[3084339]: error: PAM: Authentication > failure > > for ouruser from x.x.x.x > > Feb 10 14:36:33 ourserver sshd[3084339]: Failed keyboard-interactive/pam > > for ouruser from x.x.x.x port 34160 ssh2 > > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: userauth-request for > user > > ouruser service ssh-connection method keyboard-interactive [preauth] > > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: attempt 3 failures 1 > > [preauth] > > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: keyboard-interactive > devs > > [preauth] > > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: auth2_challenge: > > user=ouruser devs= [preauth] > > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: kbdint_alloc: devices > > 'pam' [preauth] > > Feb 10 14:36:33 ourserver sshd[3084339]: debug1: auth2_challenge_start: > > trying authentication method 'pam' [preauth] > > Feb 10 14:36:33 ourserver sshd[3084339]: Postponed keyboard-interactive > for > > ouruser from x.x.x.x port 34160 ssh2 [preauth] > > > > I verified the FreeIPA password in both the GUI and via ipa user-mod. The > > only time the user is able to log in is using the NIS password. > ldapsearch > > -x -D and kinit username work successfully. klist displays the user > details > > correctly. > > > > I can see that the installation script edits /etc/ssh/sshd_config with: > > Include /etc/ssh/sshd_config.d/04-ipa.conf > > > > which has: > > PubkeyAuthentication yes > > KerberosAuthentication no > > GSSAPIAuthentication yes > > UsePAM yes > > ChallengeResponseAuthentication yes > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > > AuthorizedKeysCommandUser nobody > > > > When the NIS password is used successfully here are the server logs: > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for > user > > ouruser service ssh-connection method none [preauth] > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 0 failures 0 > > [preauth] > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: connection from x.x.x.x > > matched 'Address 192.168.0.*,127.0.0.1,10.10.1.*' at line 158 > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: initializing for > > "ouruser" > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: setting PAM_RHOST > to > > "x.x.x.x" > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: setting PAM_TTY to > > "ssh" > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for > user > > ouruser service ssh-connection method gssapi-with-mic [preauth] > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 1 failures 0 > > [preauth] > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for > user > > ouruser service ssh-connection method keyboard-interactive [preauth] > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 2 failures 0 > > [preauth] > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: keyboard-interactive > devs > > [preauth] > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: auth2_challenge: > > user=ouruser devs= [preauth] > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: kbdint_alloc: devices > > 'pam' [preauth] > > Feb 10 14:56:39 ourserver sshd[3085147]: debug1: auth2_challenge_start: > > trying authentication method 'pam' [preauth] > > Feb 10 14:56:39 ourserver sshd[3085147]: Postponed keyboard-interactive > for > > ouruser from x.x.x.x port 35046 ssh2 [preauth] > > Feb 10 14:56:42 ourserver sshd[3085152]: debug1: do_pam_account: called > > Feb 10 14:56:42 ourserver sshd[3085147]: debug1: PAM: num PAM env > strings 2 > > Feb 10 14:56:42 ourserver sshd[3085147]: Postponed > keyboard-interactive/pam > > for ouruser from x.x.x.x port 35046 ssh2 [preauth] > > Feb 10 14:56:42 ourserver sshd[3085147]: debug1: do_pam_account: called > > > > I do see the error that sticks out is " Server host/ > > [email protected] not found in Kerberos database" but we have > > students that log in from all over the world so do all clients need to be > > added? iptables, firewalld, and nftables are off and disabled. No hbac > > rules: > > ipa hbacrule-find > > -------------------- > > 2 HBAC rules matched > > -------------------- > > Rule name: allow_all > > User category: all > > Host category: all > > Service category: all > > Description: Allow all users to access any host from any host > > Enabled: TRUE > > > > Rule name: allow_systemd-user > > User category: all > > Host category: all > > Description: Allow pam_systemd to run [email protected] to create a system > > user session > > Enabled: TRUE > > ---------------------------- > > Number of entries returned 2 > > > > Am I missing something obvious to regulars? > > > > > > On Tue, Feb 9, 2021 at 12:34 PM Robert Kudyba <[email protected]> > wrote: > > > > > On Tue, Feb 9, 2021 at 12:20 PM Sumit Bose via FreeIPA-users < > > > [email protected]> wrote: > > > > > >> On Tue, Feb 09, 2021 at 11:33:15AM -0500, Robert Kudyba via > FreeIPA-users > > >> wrote: > > >> > > > > >> > > looks like sshd is trying to read > /home/ouruser/.ssh/authorized_keys > > >> and > > >> > > is stuck. Can you read this file from the command line? Is it > e.g. on > > >> > > NFS which might not be properly mounted? > > >> > > > > >> > > Does it work if you skip pubkey authentication > > >> > > > > >> > > ssh -o PubkeyAuthentication=no -vv -k ouruser@ourserver > > >> > > > > >> > > bye, > > >> > > Sumit > > >> > > > > >> > > > >> > Thanks for the suggestion. What happens is the NIS password works. > The > > >> > FreeIPA password, which I update with: > > >> > ipa user-mod ouruser --setattr "userpassword=xxxx", fails with the > below > > >> > errors/logs > > >> > > > >> > Feb 9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086. > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Set > > >> > /proc/self/oom_score_adj to 0 > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 > out 5 > > >> > newsock 5 pipe 7 sock 8 > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after > > >> > dupping: 4, 4 > > >> > Feb 9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port > > >> 53332 > > >> > on 150.108.64.156 port 22 rdomain "" > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Local version string > > >> > SSH-2.0-OpenSSH_8.4 > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol > version > > >> > 2.0, remote software version OpenSSH_8.4 > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 > pat > > >> > OpenSSH* compat 0x04000000 > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SELinux support > disabled > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid: > > >> 74/74 > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types: > > >> > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 > > >> [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT > sent > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT > > >> received > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm: > > >> > curve25519-sha256 [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: host key > algorithm: > > >> > ecdsa-sha2-nistp256 [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server > > >> cipher: > > >> > [email protected] MAC: <implicit> compression: none [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client > > >> cipher: > > >> > [email protected] MAC: <implicit> compression: none [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > curve25519-sha256 > > >> > need=32 dh_need=32 [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > curve25519-sha256 > > >> > need=32 dh_need=32 [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting > > >> > SSH2_MSG_KEX_ECDH_INIT [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey out after > > >> 4294967296 > > >> > blocks [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS > sent > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: Sending > > >> SSH2_MSG_EXT_INFO > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting > > >> SSH2_MSG_NEWKEYS > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS > > >> received > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey in after > > >> 4294967296 > > >> > blocks [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for > > >> user > > >> > ouruser service ssh-connection method none [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0 > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing > for > > >> > "ouruser" > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting > PAM_RHOST > > >> to > > >> > "x.x.x.x" > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting > PAM_TTY to > > >> > "ssh" > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for > > >> user > > >> > ouruser service ssh-connection method keyboard-interactive [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0 > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive > > >> devs > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge: > > >> > user=ouruser devs= [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: > devices > > >> 'pam' > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > auth2_challenge_start: > > >> > trying authentication method 'pam' [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: Postponed > keyboard-interactive > > >> for > > >> > ouruser from x.x.x.x port 53332 ssh2 [preauth] > > >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): > > >> authentication > > >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > > >> user=ouruser > > >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): > > >> authentication > > >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=ouruser > > >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): > received for > > >> > user ouruser: 9 (Authentication service cannot retrieve > authentication > > >> info) > > >> > Feb 9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication > > >> failure > > >> > for ouruser from x.x.x.x > > >> > Feb 9 11:10:41 ourserver sshd[536086]: Failed > keyboard-interactive/pam > > >> for > > >> > ouruser from x.x.x.x port 53332 ssh2 > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for > > >> user > > >> > ouruser service ssh-connection method keyboard-interactive [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1 > > >> > [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive > > >> devs > > >> > [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge: > > >> > user=ouruser devs= [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: > devices > > >> 'pam' > > >> > [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: > auth2_challenge_start: > > >> > trying authentication method 'pam' [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: Postponed > keyboard-interactive > > >> for > > >> > ouruser from x.x.x.x port 53332 ssh2 [preauth] > > >> > > > >> > > > >> > Feb 9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086. > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Set > > >> > /proc/self/oom_score_adj to 0 > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 > out 5 > > >> > newsock 5 pipe 7 sock 8 > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after > > >> > dupping: 4, 4 > > >> > Feb 9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port > > >> 53332 > > >> > on 150.108.64.156 port 22 rdomain "" > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Local version string > > >> > SSH-2.0-OpenSSH_8.4 > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol > version > > >> > 2.0, remote software version OpenSSH_8.4 > > >> > Feb 9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 > pat > > >> > OpenSSH* compat 0x04000000 > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SELinux support > disabled > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid: > > >> 74/74 > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types: > > >> > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 > > >> [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT > sent > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT > > >> received > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm: > > >> > curve25519-sha256 [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: host key > algorithm: > > >> > ecdsa-sha2-nistp256 [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server > > >> cipher: > > >> > [email protected] MAC: <implicit> compression: none [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client > > >> cipher: > > >> > [email protected] MAC: <implicit> compression: none [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > curve25519-sha256 > > >> > need=32 dh_need=32 [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kex: > curve25519-sha256 > > >> > need=32 dh_need=32 [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting > > >> > SSH2_MSG_KEX_ECDH_INIT [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey out after > > >> 4294967296 > > >> > blocks [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS > sent > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: Sending > > >> SSH2_MSG_EXT_INFO > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: expecting > > >> SSH2_MSG_NEWKEYS > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS > > >> received > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: rekey in after > > >> 4294967296 > > >> > blocks [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for > > >> user > > >> > ouruser service ssh-connection method none [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0 > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing > for > > >> > "ouruser" > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting > PAM_RHOST > > >> to > > >> > "x.x.x.x" > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting > PAM_TTY to > > >> > "ssh" > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for > > >> user > > >> > ouruser service ssh-connection method keyboard-interactive [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0 > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive > > >> devs > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge: > > >> > user=ouruser devs= [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: > devices > > >> 'pam' > > >> > [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: debug1: > auth2_challenge_start: > > >> > trying authentication method 'pam' [preauth] > > >> > Feb 9 11:10:35 ourserver sshd[536086]: Postponed > keyboard-interactive > > >> for > > >> > ouruser from x.x.x.x port 53332 ssh2 [preauth] > > >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): > > >> authentication > > >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > > >> user=ouruser > > >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): > > >> authentication > > >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x > user=ouruser > > >> > Feb 9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): > received for > > >> > user ouruser: 9 (Authentication service cannot retrieve > authentication > > >> info) > > >> > Feb 9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication > > >> failure > > >> > for ouruser from x.x.x.x > > >> > Feb 9 11:10:41 ourserver sshd[536086]: Failed > keyboard-interactive/pam > > >> for > > >> > ouruser from x.x.x.x port 53332 ssh2 > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for > > >> user > > >> > ouruser service ssh-connection method keyboard-interactive [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1 > > >> > [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive > > >> devs > > >> > [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge: > > >> > user=ouruser devs= [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: > devices > > >> 'pam' > > >> > [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: debug1: > auth2_challenge_start: > > >> > trying authentication method 'pam' [preauth] > > >> > Feb 9 11:10:41 ourserver sshd[536086]: Postponed > keyboard-interactive > > >> for > > >> > ouruser from x.x.x.x port 53332 ssh2 [preauth] > > >> > > > >> > With the NIS password the logs show this: > > >> > > >> Hi, > > >> > > >> did you drop what happened before or is this the only debug output for > > >> the NIS password? > > >> > > > > > > The below here are just logs from /var/log/secure for the user that > > > successfully logs in with his/her NIS password. > > > > > > By "drop what happened before" do you mean the original log snip? Yes I > > > removed those in an attempt to shorten the message content. > > > > > > > Feb 9 11:16:57 debug1: do_pam_account: called > > >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: PAM: num PAM env > > >> strings 2 > > >> > Feb 9 11:16:57 ourserver sshd[536226]: Postponed > > >> keyboard-interactive/pam > > >> > for cai from 150.108.68.26 port 53646 ssh2 [preauth] > > >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: do_pam_account: > called > > >> > Feb 9 11:16:57 ourserver sshd[536226]: Accepted > > >> keyboard-interactive/pam > > >> > for cai from 150.108.68.26 port 53646 ssh2 > > >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: > monitor_child_preauth: > > >> cai > > >> > has been authenticated by privileged process > > >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: monitor_read_log: > child > > >> log > > >> > fd closed > > >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: audit_event: > unhandled > > >> > event 2 > > >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: temporarily_use_uid: > > >> > 5879/200 (e=0/0) > > >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: > ssh_gssapi_storecreds: > > >> Not > > >> > a GSSAPI mechanism > > >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: restore_uid: 0/0 > > >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: SELinux support > disabled > > >> > Feb 9 11:16:57 ourserver sshd[536226]: debug1: PAM: establishing > > >> > credentials > > >> > Feb 9 11:16:57 ourserver systemd[536237]: > > >> pam_unix(systemd-user:session): > > >> > session opened for user cai(uid=5879) by (uid=0) > > >> > > > >> > What options should be set in /etc/ssh/sshd_config? Is sssd > necessary > > >> for > > >> > this to work with the FreeIPA password > > >> > > > > > > > > > Yes, SSSD must be configured and runnnig. ssd does appear to be working > > > fine and in /etc/ipa/ca.crt and the service is running correctly: > > > > > > [domain/ourdomain.edu] > > > > > > id_provider = ipa > > > ipa_server_mode = True > > > ipa_server = ourdomain.edu > > > ipa_domain = ourdomain.edu > > > ipa_hostname = ourdomain.edu > > > auth_provider = ipa > > > chpass_provider = ipa > > > access_provider = ipa > > > cache_credentials = True > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > krb5_store_password_if_offline = True > > > [sssd] > > > services = nss, pam, ifp, ssh, sudo > > > > > > domains = ourdomain.edu > > > [nss] > > > homedir_substring = /home > > > memcache_timeout = 600 > > > > > > [ifp] > > > allowed_uids = ipaapi, root > > > > > > systemctl status sssd > > > * sssd.service - System Security Services Daemon > > > Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; > vendor > > > preset: enabled) > > > Active: active (running) since Fri 2021-01-29 14:31:34 EST; 1 > weeks 3 > > > days ago > > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=Wf0XG9UQFh7Otn3AfsIN3m_k5iZO6z5UZ8iiZyKJO1c&e= > > List Guidelines: > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=A4XgtYWDmc342f9TUosxqQW8CvhysH_kCNVhICTkSH8&e= > > List Archives: > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=OvsSkJLqW6zqUPpT-3uFhbyywrWiezlb2Dc0sPD3juI&e= > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=Wf0XG9UQFh7Otn3AfsIN3m_k5iZO6z5UZ8iiZyKJO1c&e= > List Guidelines: > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=A4XgtYWDmc342f9TUosxqQW8CvhysH_kCNVhICTkSH8&e= > List Archives: > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=OvsSkJLqW6zqUPpT-3uFhbyywrWiezlb2Dc0sPD3juI&e= > Do not reply to spam on the list, report it: > https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_fedora-2Dinfrastructure&d=DwIGaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=cTJlTRQX9Axg1tydxKYEmbl2IKrxckS0U2ceGADLUso&s=VGfRu0gOqDssAffGJHrW6TLN8gmg3hHQXfLGNwNIXfY&e= >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
