On client side the valid Kerberos ticket is present. The following SSH
configuration is used on the machine where the IPA client is running:
Just checked the machine again, password authentication is used as fallback,
because the Keberos setup on this machine seems to be messed up. I have tried
to uninstall the client and reinstalled it. During the installation I'm getting
"A RA is not configured on the server. Not requesting host certificate."
Trying to request the certificate manually leads in:
ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/<host> -N
Error org.fedorahosted.certmonger.duplicate: Certificate at same location is
already used by request with nickname "20140416200517"
So to certificate is already there. Do you have some hints?
----- Original Message -----
From: "Simo Sorce" <s...@redhat.com>
To: "David Kreuter" <david.kreu...@bytesource.net>
Sent: Wednesday, 16 April, 2014 8:50:39 PM
Subject: Re: [Freeipa-users] PasswordAuthentication option for SSH
On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote:
> Today I faced the issue that Kerberos authentication stopped working
> after disabling PasswordAuthentication in /etc/ssh/sshd_config on a
> FreeIPA client. The deactivation of this option was done due to
> security issues.
> Is it really necessary to have this option set to yes when using
> Keberos authentication?
No, GSSAPI authentication does not need PasswordAuthentication, of
course it requires valid kerberos credentials on the client and a valid
keytab on the server.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list