On Fri, 26 Apr 2013, naresh reddy wrote:
Hi Alexander

Thank you very much it worked.
its fantastic and I really appreciate your help.
but this scenario is to use the kerboros ticket for each time to login

 what we are trying to establish is 
users will have priviate and public ssh keys
public sssh keys will be updated to the freeipa server and 

then users will connect to the remotes servers via the private ssh
keys, remote servers need to authenticate via the keys recieved from
the freeipa server

but the present working condition doesn't satisfy this as user needs to
get the kerborse ticket every life time.
I think you mix two different approaches.

In your debug log below:
debug1: Authentications that can continue: 
This means public key can be used to authenticate, along with GSSAPI and
plain password.

However, your issue is in the fact that you did not set up sshd to use
sss_ssh_authorizedkeys properly -- you missed the fact that both
   AuthorizedKeysCommand and AuthorizedKeysCommandUser
should be configured and AuthorizedKeysCommand should only get the path
to the sss_ssh_authorizedkeys utility.


AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

And it should work, works for me on Fedora 19.

There is one issue that 'AuthorizedKeysCommandUser' is a new option in
recent OpenSSH (6.2) and did not exist before. We have patch to support
it already but not merged yet. In OpenSSH before 6.2 there was no
support for AuthorizedKeys and there was Fedora/RHEL patch to add it. As
the patch evolved, first user under which the command is run was
separated to AuthorizedKeysCommandRunAs option and later upstream changed it
to AuthorizedKeysCommandUser.

Thus, we have three different types of OpenSSH versions and a bit of
configuration mess.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to