On client side the valid Kerberos ticket is present. The following SSH 
configuration is used on the machine where the IPA client is running: 

PasswordAuthentication yes 

KerberosAuthentication no 
PubkeyAuthentication yes 
UsePAM yes 
GSSAPIAuthentication yes 
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys 

Just checked the machine again, password authentication is used as fallback, 
because the Keberos setup on this machine seems to be messed up. I have tried 
to uninstall the client and reinstalled it. During the installation I'm getting 
following message: 

"A RA is not configured on the server. Not requesting host certificate." 

Trying to request the certificate manually leads in: 

ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/<host> -N 
'CN=<host>,O=EXAMPLE.INFO' -v 

Error org.fedorahosted.certmonger.duplicate: Certificate at same location is 
already used by request with nickname "20140416200517" 

So to certificate is already there. Do you have some hints? 

----- Original Message -----

From: "Simo Sorce" <s...@redhat.com> 
To: "David Kreuter" <david.kreu...@bytesource.net> 
Cc: freeipa-users@redhat.com 
Sent: Wednesday, 16 April, 2014 8:50:39 PM 
Subject: Re: [Freeipa-users] PasswordAuthentication option for SSH 

On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote: 
> Hi, 
> Today I faced the issue that Kerberos authentication stopped working 
> after disabling PasswordAuthentication in /etc/ssh/sshd_config on a 
> FreeIPA client. The deactivation of this option was done due to 
> security issues. 
> Is it really necessary to have this option set to yes when using 
> Keberos authentication? 

No, GSSAPI authentication does not need PasswordAuthentication, of 
course it requires valid kerberos credentials on the client and a valid 
keytab on the server. 


Simo Sorce * Red Hat, Inc * New York 

Freeipa-users mailing list

Reply via email to