On Fri, 26 Apr 2013, naresh reddy wrote:
Thank you very much it worked.
its fantastic and I really appreciate your help.
but this scenario is to use the kerboros ticket for each time to login
what we are trying to establish is
users will have priviate and public ssh keys
public sssh keys will be updated to the freeipa server and
then users will connect to the remotes servers via the private ssh
keys, remote servers need to authenticate via the keys recieved from
the freeipa server
but the present working condition doesn't satisfy this as user needs to
get the kerborse ticket every life time.
I think you mix two different approaches.
In your debug log below:
debug1: Authentications that can continue:
This means public key can be used to authenticate, along with GSSAPI and
However, your issue is in the fact that you did not set up sshd to use
sss_ssh_authorizedkeys properly -- you missed the fact that both
AuthorizedKeysCommand and AuthorizedKeysCommandUser
should be configured and AuthorizedKeysCommand should only get the path
to the sss_ssh_authorizedkeys utility.
And it should work, works for me on Fedora 19.
There is one issue that 'AuthorizedKeysCommandUser' is a new option in
recent OpenSSH (6.2) and did not exist before. We have patch to support
it already but not merged yet. In OpenSSH before 6.2 there was no
support for AuthorizedKeys and there was Fedora/RHEL patch to add it. As
the patch evolved, first user under which the command is run was
separated to AuthorizedKeysCommandRunAs option and later upstream changed it
Thus, we have three different types of OpenSSH versions and a bit of
/ Alexander Bokovoy
Freeipa-users mailing list