Also ssh logs [kns@ti-mum1-pve04 ~]$ ssh kns@10.40.1.201 -v OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/04-ipa.conf debug1: Executing command: 'true' debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: configuration requests final Match pass debug1: re-parsing configuration debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/04-ipa.conf debug1: Executing command: 'true' debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 10.40.1.201 debug1: identity file /home/kns/.ssh/id_rsa type -1 debug1: identity file /home/kns/.ssh/id_rsa-cert type -1 debug1: identity file /home/kns/.ssh/id_dsa type -1 debug1: identity file /home/kns/.ssh/id_dsa-cert type -1 debug1: identity file /home/kns/.ssh/id_ecdsa type -1 debug1: identity file /home/kns/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/kns/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/kns/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/kns/.ssh/id_ed25519 type -1 debug1: identity file /home/kns/.ssh/id_ed25519-cert type -1 debug1: identity file /home/kns/.ssh/id_ed25519_sk type -1 debug1: identity file /home/kns/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/kns/.ssh/id_xmss type -1 debug1: identity file /home/kns/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7 debug1: compat_banner: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 10.40.1.201:22 as 'kns' debug1: load_hostkeys: fopen /home/kns/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen /home/kns/.ssh/known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: aes256-...@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: aes256-...@openssh.com MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:1BAWa9F52c6u26qe8T9ZQsin3lk+VTFeRYBDtkOzNMU debug1: load_hostkeys: fopen /home/kns/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen /home/kns/.ssh/known_hosts2: No such file or directory debug1: Host '10.40.1.201' is known and matches the ED25519 host key. debug1: Found key in /var/lib/sss/pubconf/known_hosts:2 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /home/kns/.ssh/id_rsa debug1: Will attempt key: /home/kns/.ssh/id_dsa debug1: Will attempt key: /home/kns/.ssh/id_ecdsa debug1: Will attempt key: /home/kns/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/kns/.ssh/id_ed25519 debug1: Will attempt key: /home/kns/.ssh/id_ed25519_sk debug1: Will attempt key: /home/kns/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519, sk-ssh-ed25...@openssh.com ,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp...@openssh.com, webauthn-sk-ecdsa-sha2-nistp...@openssh.com> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-with-mic
*debug1: Unspecified GSS failure. Minor code may provide more informationServer host/10.40.1....@alpha-grep.com <10.40.1....@alpha-grep.com> not found in Kerberos database* debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/kns/.ssh/id_rsa debug1: Trying private key: /home/kns/.ssh/id_dsa debug1: Trying private key: /home/kns/.ssh/id_ecdsa debug1: Trying private key: /home/kns/.ssh/id_ecdsa_sk debug1: Trying private key: /home/kns/.ssh/id_ed25519 debug1: Trying private key: /home/kns/.ssh/id_ed25519_sk debug1: Trying private key: /home/kns/.ssh/id_xmss debug1: Next authentication method: keyboard-interactive (kns@10.40.1.201) Password: ####################################################################################3 [kns@ti-mum1-pve04 ~]$ ssh kns@ti-mum1-pve01 -v OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/04-ipa.conf debug1: Executing command: 'true' debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: configuration requests final Match pass debug1: re-parsing configuration debug1: Reading configuration data /etc/ssh/ssh_config debug1: Reading configuration data /etc/ssh/ssh_config.d/04-ipa.conf debug1: Executing command: 'true' debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 ti-mum1-pve01 debug1: identity file /home/kns/.ssh/id_rsa type -1 debug1: identity file /home/kns/.ssh/id_rsa-cert type -1 debug1: identity file /home/kns/.ssh/id_dsa type -1 debug1: identity file /home/kns/.ssh/id_dsa-cert type -1 debug1: identity file /home/kns/.ssh/id_ecdsa type -1 debug1: identity file /home/kns/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/kns/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/kns/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/kns/.ssh/id_ed25519 type -1 debug1: identity file /home/kns/.ssh/id_ed25519-cert type -1 debug1: identity file /home/kns/.ssh/id_ed25519_sk type -1 debug1: identity file /home/kns/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/kns/.ssh/id_xmss type -1 debug1: identity file /home/kns/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7 debug1: compat_banner: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000 debug1: Authenticating to ti-mum1-pve01:22 as 'kns' debug1: load_hostkeys: fopen /home/kns/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen /home/kns/.ssh/known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: aes256-...@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: aes256-...@openssh.com MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:1BAWa9F52c6u26qe8T9ZQsin3lk+VTFeRYBDtkOzNMU debug1: load_hostkeys: fopen /home/kns/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen /home/kns/.ssh/known_hosts2: No such file or directory debug1: Host 'ti-mum1-pve01' is known and matches the ED25519 host key. debug1: Found key in /var/lib/sss/pubconf/known_hosts:2 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /home/kns/.ssh/id_rsa debug1: Will attempt key: /home/kns/.ssh/id_dsa debug1: Will attempt key: /home/kns/.ssh/id_ecdsa debug1: Will attempt key: /home/kns/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/kns/.ssh/id_ed25519 debug1: Will attempt key: /home/kns/.ssh/id_ed25519_sk debug1: Will attempt key: /home/kns/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519, sk-ssh-ed25...@openssh.com ,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp...@openssh.com, webauthn-sk-ecdsa-sha2-nistp...@openssh.com> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-with-mic Authenticated to ti-mum1-pve01 (via proxy) using "gssapi-with-mic". debug1: pkcs11_del_provider: called, provider_id = (null) debug1: channel 0: new [client-session] debug1: Requesting no-more-sessi...@openssh.com debug1: Entering interactive session. debug1: pledge: proc debug1: client_input_global_request: rtype hostkeys...@openssh.com want_reply 0 debug1: Sending environment. debug1: channel 0: setting env LANG = "en_GB.UTF-8" Register this system with Red Hat Insights: insights-client --register Create an account or view all your systems at https://red.ht/insights-dashboard Last login: Tue Oct 3 01:59:36 2023 from 10.40.1.200 [kns@ti-mum1-pve01 ~]$ On Tue, Oct 3, 2023 at 1:19 AM Pradeep KNS <kns.prad...@alpha-grep.com> wrote: > Hi, > > I am able to configure Freeipa with internal DNS which is located on a > different server and added dns records under the dns zone file. > Now i have created a user and am able to communicate from Localhost to ipa > client both key based and password based both. > > *Issue:* > Not able to ssh via from client A --> to Client B via key based > authentication its promoting for password.But if i use the hostname rather > than ip i am able to login.But most of the times i use ip only to > communicate. > > Trick: > If add ssh-add <Keypath /rsa_pub> and then if cache with -A then able to > communicate with ip as well i can jump any client from local.But its a > trick it got worked but i would like to know where can i fix this to work > properly.Rather than doing this trick how can i jump from one client to > another without using password based authentication.Please let me know > where i need to change configuration to work smoothly. > > _kerberos-master._tcp.test-local.com. 3600 IN SRV 0 100 88 > ipa1-mum1.test-local.com. > _kerberos-master._udp.test-local.com. 3600 IN SRV 0 100 88 > ipa1-mum1.test-local.com. > _kerberos._tcp.test-local.com. 3600 IN SRV 0 100 88 > ipa1-mum1.test-local.com. > _kerberos._udp.test-local.com. 3600 IN SRV 0 100 88 > ipa1-mum1.test-local.com. > _kerberos.test-local.com. 3600 IN TXT "ALPHA-GREP.COM" > _kerberos.test-local.com. 3600 IN URI 0 100 "krb5srv:m:tcp: > ipa1-mum1.test-local.com." > _kerberos.test-local.com. 3600 IN URI 0 100 "krb5srv:m:udp: > ipa1-mum1.test-local.com." > _kpasswd._tcp.test-local.com. 3600 IN SRV 0 100 464 > ipa1-mum1.test-local.com. > _kpasswd._udp.test-local.com. 3600 IN SRV 0 100 464 > ipa1-mum1.test-local.com. > _kpasswd.test-local.com. 3600 IN URI 0 100 "krb5srv:m:tcp: > ipa1-mum1.test-local.com." > _kpasswd.test-local.com. 3600 IN URI 0 100 "krb5srv:m:udp: > ipa1-mum1.test-local.com." > _ldap._tcp.test-local.com. 3600 IN SRV 0 100 389 ipa1-mum1.test-local.com. > > > > On Fri, Sep 1, 2023 at 12:17 PM Pradeep KNS <kns.prad...@alpha-grep.com> > wrote: > >> Thanks a lot,Will try it. >> >> On Thu, Aug 31, 2023 at 10:40 AM Yavor Marinov <ymari...@gmail.com> >> wrote: >> >>> Hey guys, >>> >>> I would suggest an easier and quite simple method: create a subdomain in >>> your current DNS, and describe its NSes to point to FreeIPA's DNSes. >>> Configure FreeIPA with a subdomain, instead of the domain and if you need >>> to create forwarding rules in FreeIPA to use your main DNS as a forwarder. >>> Additionally newly added infra, can be just CNAME-ed into your main DNS >>> with specifics (or even A record). Offering this, because in current infra >>> we are using google's DNS for the domain, and our centralized login can be >>> used with both of the domain and the subdomain. The only "frustrating" >>> thing is that i need to change the client's DNS (eg resolv.conf) when I'm >>> enrolling them, to point to FreeIPA and be able to properly enroll their >>> DNS records into FreeIPA >>> >>> ~br >>> >>> On Wed, Aug 30, 2023 at 11:26 PM Rafael Jeffman via FreeIPA-users < >>> freeipa-users@lists.fedorahosted.org> wrote: >>> >>>> >>>> Hi Pradeep, >>>> >>>> On Wed, Aug 30, 2023 at 3:27 PM Pradeep KNS via FreeIPA-users < >>>> freeipa-users@lists.fedorahosted.org> wrote: >>>> > >>>> > Hi Rob, >>>> > >>>> > Thank you for your valuable insights on FreeIPA and DNS. I have an >>>> existing internal DNS server that I would like to integrate with FreeIPA's >>>> DNS feature. As I understand it, FreeIPA can serve as an integrated DNS >>>> solution. However, I would like to ensure that my existing internal DNS >>>> infrastructure is utilized alongside FreeIPA's DNS capabilities. >>>> > >>>> > Could you provide guidance on how to configure FreeIPA to work with >>>> my internal DNS server? Specifically, I'd like to achieve the following: >>>> > >>>> > Use FreeIPA for centralized user authentication and management. >>>> >>>> That would be just setting up FreeIPA and maintaining correct DNS >>>> records, >>>> so I won't jump into this one. >>>> >>>> > Integrate my existing internal DNS server with FreeIPA's DNS, so I >>>> can manage internal DNS records within FreeIPA while maintaining the >>>> internal DNS functionality. >>>> > >>>> >>>> Is a short answer: you can't. >>>> >>>> The longer answer might provide a way to almost have what you want. >>>> >>>> FreeIPA's embedded nameserver has to be authoritative, and you can only >>>> manage its records, not the ones on your current DNS infrastructure. >>>> >>>> To change DNS management to FreeIPA you'd have to set your internal DNS >>>> nameserver to be a secondary nameserver, and configure FreeIPA's >>>> nameserver to notify the internal nameserver of changes. It's doable, >>>> but I >>>> would not recommend doing so. >>>> >>>> Another possibility is to change DNS infrastructure to use FreeIPA >>>> instead of >>>> the current nameserver. >>>> >>>> If you can manage your internal zones with the limitations that >>>> FreeIPA's >>>> nameserver has (e.g. split-view is not supported), then you could plan >>>> on >>>> retiring the current nameserver in favor of the FreeIPA one. With >>>> replicas you >>>> can also get redundancy on the nameservers. >>>> >>>> If your current nameserver is exposed to the world, again, I'd suggest >>>> against >>>> this move. >>>> >>>> Bottom line, either use your current DNS infrastructure or fully >>>> migrate to >>>> FreeIPA. >>>> >>>> Rafael >>>> >>>> > I want to avoid any conflicts between FreeIPA's DNS and my existing >>>> internal DNS server. Your expertise in this matter would greatly assist me >>>> in achieving a successful and well-integrated DNS solution. >>>> > >>>> > Thank you for your time and support. >>>> > >>>> > >>>> > On Wed, Aug 30, 2023 at 6:34 PM Rob Crittenden <rcrit...@redhat.com> >>>> wrote: >>>> >> >>>> >> Pradeep KNS via FreeIPA-users wrote: >>>> >> > Hello Team, >>>> >> > >>>> >> > While setting up Freeipa in my Linux infrastructure.I noticed a >>>> strange >>>> >> > warning. I would like to clarify before rolling into production. >>>> >> > * >>>> >> > * >>>> >> > *|DNS zone alpha-grep.com <http://alpha-grep.com>. already exists >>>> in DNS >>>> >> > and is handled by server(s): ['ns2.', 'ns1.'] Please make sure >>>> that the >>>> >> > domain is properly delegated to this IPA server.|* >>>> >> > >>>> >> > Detailed installation log i have updated in this link. Please >>>> suggest me >>>> >> > will it be any security flaw in future.Before installing it on >>>> production. >>>> >> > >>>> >> > https://bpa.st/AMITK >>>> >> >>>> >> I'm not sure what security issue you are worried about but you >>>> >> explicitly allow this configuration with the --allow-zone-overlap >>>> >> install option. >>>> >> >>>> >> Your domain DNS is managed externally and you've installed a DNS >>>> server >>>> >> to be authoritative for the same domain. If you want to expose you >>>> IPA >>>> >> DNS to the Internet you'll need to repoint the nameservers on your >>>> >> domain to your IPA host. >>>> >> >>>> >> If what you're hoping to do is provide views, to limit what hosts are >>>> >> resolvable depending on where the request is coming from, that is not >>>> >> available in IPA. While IPA uses bind under the hood not all >>>> >> capabilities are exposed. >>>> >> >>>> >> So whether this configuration is acceptable or not is up to you. >>>> >> >>>> >> rob >>>> >> >>>> > _______________________________________________ >>>> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> > To unsubscribe send an email to >>>> freeipa-users-le...@lists.fedorahosted.org >>>> > Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> > List Guidelines: >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> > List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>>> > Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>>> >>>> >>>> -- >>>> Rafael Guterres Jeffman >>>> Senior Software Engineer >>>> FreeIPA - Red Hat >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to >>>> freeipa-users-le...@lists.fedorahosted.org >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
