On client side the valid Kerberos ticket is present. The following SSH 
configuration is used on the machine where the IPA client is running: 


/etc/ssh/sshd_config 
---cut--- 
PasswordAuthentication yes 

KerberosAuthentication no 
PubkeyAuthentication yes 
UsePAM yes 
GSSAPIAuthentication yes 
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys 
---cut--- 


Just checked the machine again, password authentication is used as fallback, 
because the Keberos setup on this machine seems to be messed up. I have tried 
to uninstall the client and reinstalled it. During the installation I'm getting 
following message: 


"A RA is not configured on the server. Not requesting host certificate." 


Trying to request the certificate manually leads in: 


ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/<host> -N 
'CN=<host>,O=EXAMPLE.INFO' -v 


Error org.fedorahosted.certmonger.duplicate: Certificate at same location is 
already used by request with nickname "20140416200517" 


So to certificate is already there. Do you have some hints? 



----- Original Message -----

From: "Simo Sorce" <s...@redhat.com> 
To: "David Kreuter" <david.kreu...@bytesource.net> 
Cc: freeipa-users@redhat.com 
Sent: Wednesday, 16 April, 2014 8:50:39 PM 
Subject: Re: [Freeipa-users] PasswordAuthentication option for SSH 

On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote: 
> Hi, 
> 
> 
> Today I faced the issue that Kerberos authentication stopped working 
> after disabling PasswordAuthentication in /etc/ssh/sshd_config on a 
> FreeIPA client. The deactivation of this option was done due to 
> security issues. 
> 
> 
> Is it really necessary to have this option set to yes when using 
> Keberos authentication? 

No, GSSAPI authentication does not need PasswordAuthentication, of 
course it requires valid kerberos credentials on the client and a valid 
keytab on the server. 

Simo. 

-- 
Simo Sorce * Red Hat, Inc * New York 


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to