KodaK wrote:
Hello,

I'm attempting to configure an AIX 5.3 client, I've followed the instructions
(and then some) that are found here:

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_AIX.html

I keep overcoming hurdles (like the documentation asking you in step 3
to authenticate with a user you create in step 11) but now I'm really stuck.
I have a user, creatively named "testuser" and the password is of sufficient
complexity.  I can authenticate with this user to a Linux box that's been
configured with the ipa-client, so I'm pretty sure my server configuration is
OK.

When I connect to an AIX client, though, it tells me:

Received disconnect from 10.200.2.68: 2: Too many authentication
failures for testuser

Here's the output of ssh -v testu...@slnldca01.unix.magellanhealth.com:


[jebalicki@mo0031472 ~]$ kinit testuser
Password for testu...@unix.magellanhealth.com:
[jebalicki@mo0031472 ~]$ ssh -v testu...@slnldca01.unix.magellanhealth.com
OpenSSH_5.6p1, OpenSSL 1.0.0g-fips 18 Jan 2012
debug1: Reading configuration data /home/jebalicki/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to slnldca01.unix.magellanhealth.com [10.200.2.68] port 22.
debug1: Connection established.
debug1: identity file /home/jebalicki/.ssh/id_rsa type 1
debug1: identity file /home/jebalicki/.ssh/id_rsa-cert type -1
debug1: identity file /home/jebalicki/.ssh/id_dsa type -1
debug1: identity file /home/jebalicki/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'slnldca01.unix.magellanhealth.com' is known and matches
the RSA host key.
debug1: Found key in /home/jebalicki/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/jebalicki/.ssh/id_rsa
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /home/jebalicki/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: password
testu...@slnldca01.unix.magellanhealth.com's password:
Received disconnect from 10.200.2.68: 2: Too many authentication
failures for testuser

Here's the output of sshd -ddd on the AIX client:


bash-3.00# /usr/sbin/sshd -dddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 248
debug2: parse_server_config: config /etc/ssh/sshd_config len 248
debug1: sshd version OpenSSH_4.1p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-dddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Bind to port 22 on :: failed: Address already in use.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: fd 4 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 248
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 10.200.10.117 port 49075
debug1: Client protocol version 2.0; client software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_4.1
debug1: init_func_ptrs passed
debug2: fd 3 setting O_NONBLOCK
debug3: privsep user:group 202:201
debug1: permanently_set_uid: 202/201
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug2: Network child is on pid 348394
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit: none,z...@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 481/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 505/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: monitor_read: checking request 4
debug3: mm_request_receive_expect entering: type 5
debug3: mm_answer_sign
debug3: mm_request_receive entering
debug3: mm_answer_sign: signature 20042f88(143)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug3: mm_request_receive entering
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user testuser service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: monitor_read: checking request 6
debug3: mm_request_receive_expect entering: type 7
debug3: mm_answer_pwnamallow
debug3: mm_request_receive entering
debug3: AIX/loginrestrictions returned 0 msg (none)
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug2: input_userauth_request: setting up authctxt for testuser
debug3: mm_request_receive entering
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 3
debug3: mm_auth_password entering
debug3: mm_answer_authserv: service=ssh-connection, style=
debug3: mm_request_send entering: type 10
debug2: monitor_read: 3 used once, disabling now
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive entering
debug3: mm_request_receive_expect entering: type 11
debug3: monitor_read: checking request 10
debug3: mm_request_receive entering
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed none for testuser from 10.200.10.117 port 49075 ssh2
Failed none for testuser from 10.200.10.117 port 49075 ssh2
debug3: mm_request_receive entering
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_send entering: type 37
debug3: mm_request_receive_expect entering: type 38
debug3: monitor_read: checking request 37
debug3: mm_request_receive entering
debug1: Miscellaneous failure
No principal in keytab matches desired name

debug3: mm_request_send entering: type 38
Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
debug3: mm_request_receive entering
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2
debug1: userauth-request for user testuser service ssh-connection
method publickey
debug1: attempt 5 failures 5
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 20042fd8
debug1: temporarily_use_uid: 1115600008/1115600008 (e=0/0)
debug1: trying public key file /home/testuser/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1115600008/1115600008 (e=0/0)
debug1: trying public key file /home/testuser/.ssh/authorized_keys2
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 20042fd8 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for testuser from 10.200.10.117 port 49075 ssh2
debug1: userauth-request for user testuser service ssh-connection
method keyboard-interactive
debug1: attempt 6 failures 6
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=testuser devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Failed keyboard-interactive for testuser from 10.200.10.117 port 49075 ssh2
debug1: userauth-request for user testuser service ssh-connection
method password
debug1: attempt 7 failures 7
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: inside auth_password
debug3: AIX/authenticate result 1, msg
debug3: AIX SYSTEM attribute KRB5ALXAP or compat
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed password for testuser from 10.200.10.117 port 49075 ssh2
debug3: mm_auth_password: user not authenticated
Failed password for testuser from 10.200.10.117 port 49075 ssh2
Disconnecting: Too many authentication failures for testuser
debug1: do_cleanup
debug3: AIX/setauthdb set registry 'LDAP'
debug3: aix_restoreauthdb: restoring old registry ''
debug3: mm_request_receive entering
debug1: do_cleanup
bash-3.00#

here's klist -k -e on the AIX box:

bash-3.00# /usr/krb5/bin/klist -k -e
Keytab name:  FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
    1 sshd/slnldca01.unix.magellanhealth....@unix.magellanhealth.com
(DES cbc mode with CRC-32)
    3 host/slpidml01.unix.magellanhealth....@unix.magellanhealth.com
(Triple DES cbc mode with HMAC/sha1)
    3 host/slpidml01.unix.magellanhealth....@unix.magellanhealth.com
(ArcFour with HMAC/md5)
    4 host/slpidml01.unix.magellanhealth....@unix.magellanhealth.com
(Triple DES cbc mode with HMAC/sha1)
    4 host/slpidml01.unix.magellanhealth....@unix.magellanhealth.com
(ArcFour with HMAC/md5)
    5 host/slpidml01.unix.magellanhealth....@unix.magellanhealth.com
(Triple DES cbc mode with HMAC/sha1)
    5 host/slpidml01.unix.magellanhealth....@unix.magellanhealth.com
(ArcFour with HMAC/md5)
    6 host/slpidml01.unix.magellanhealth....@unix.magellanhealth.com
(DES cbc mode with CRC-32)
    6 host/slpidml01.unix.magellanhealth....@unix.magellanhealth.com
(Triple DES cbc mode with HMAC/sha1)
    6 host/slpidml01.unix.magellanhealth....@unix.magellanhealth.com
(ArcFour with HMAC/md5)
    2 sshd/slnldca01.unix.magellanhealth....@unix.magellanhealth.com
(DES cbc mode with CRC-32)
    2 sshd/slnldca01.unix.magellanhealth....@unix.magellanhealth.com
(Triple DES cbc mode with HMAC/sha1)
    2 sshd/slnldca01.unix.magellanhealth....@unix.magellanhealth.com
(ArcFour with HMAC/md5)
    1 host/slnldca01.unix.magellanhealth....@unix.magellanhealth.com
(Triple DES cbc mode with HMAC/sha1)
    1 host/slnldca01.unix.magellanhealth....@unix.magellanhealth.com
(ArcFour with HMAC/md5)

here's the relevent portion in krb5kdc.log:


ar 30 18:13:10 slpidml01.unix.magellanhealth.com krb5kdc[13765](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.200.10.117: ISSUE: authtime
1333149153, etypes {rep=18 tkt=16 ses=16},
testu...@unix.magellanhealth.com for
host/slnldca01.unix.magellanhealth....@unix.magellanhealth.com
Mar 30 18:13:15 slpidml01.unix.magellanhealth.com
krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
NEEDED_PREAUTH: testu...@unix.magellanhealth.com for
krbtgt/unix.magellanhealth....@unix.magellanhealth.com, Additional
pre-authentication required
Mar 30 18:13:16 slpidml01.unix.magellanhealth.com
krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
ISSUE: authtime 1333149196, etypes {rep=16 tkt=18 ses=16},
testu...@unix.magellanhealth.com for
krbtgt/unix.magellanhealth....@unix.magellanhealth.com

Any help?  If it's not obvious, I have no clue what I'm doing -- but
I've been banging my head on this for three days straight, I have a
ticket open with Red Hat and I've been reading everything I can find.

Oh, I get similar entries in the kdc log if I telnet instead of ssh:

Mar 30 18:33:42 slpidml01.unix.magellanhealth.com
krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
NEEDED_PREAUTH: testu...@unix.magellanhealth.com for
krbtgt/unix.magellanhealth....@unix.magellanhealth.com, Additional
pre-authentication required
Mar 30 18:33:43 slpidml01.unix.magellanhealth.com
krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68:
ISSUE: authtime 1333150423, etypes {rep=16 tkt=18 ses=16},
testu...@unix.magellanhealth.com for
krbtgt/unix.magellanhealth....@unix.magellanhealth.com

The sshd output suggests that it can't find its own service principal:

No principal in keytab matches desired name

The keytab looks ok, you might check permissions to make sure it can be read by sshd. You shouldn't need sshd services, it uses the host service principal.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to