On 04/16/2014 04:28 PM, David Kreuter wrote:
On client side the valid Kerberos ticket is present. The following SSH configuration is used on the machine where the IPA client is running:


/etc/ssh/sshd_config
---cut---
PasswordAuthentication yes
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
GSSAPIAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
---cut---

Just checked the machine again, password authentication is used as fallback, because the Keberos setup on this machine seems to be messed up. I have tried to uninstall the client and reinstalled it. During the installation I'm getting following message:

"A RA is not configured on the server. Not requesting host certificate."

Trying to request the certificate manually leads in:

ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/<host> -N 'CN=<host>,O=EXAMPLE.INFO' -v

Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20140416200517"

When you removed the client certmonger was still tracking certs from the previous install. Use cermonger to un-track old cert(s) and try to re-install again. That should solve this problem.
I think is fixed in the latest version of IPA client.

As for SSH I think a quick search on the net renders several guides that show how to setup OpenSSH with GSSAPI.



So to certificate is already there. Do you have some hints?


------------------------------------------------------------------------
*From: *"Simo Sorce" <s...@redhat.com>
*To: *"David Kreuter" <david.kreu...@bytesource.net>
*Cc: *freeipa-users@redhat.com
*Sent: *Wednesday, 16 April, 2014 8:50:39 PM
*Subject: *Re: [Freeipa-users] PasswordAuthentication option for SSH

On Wed, 2014-04-16 at 20:08 +0200, David Kreuter wrote:
> Hi,
>
>
> Today I faced the issue that Kerberos authentication stopped working
> after disabling PasswordAuthentication in /etc/ssh/sshd_config on a
> FreeIPA client. The deactivation of this option was done due to
> security issues.
>
>
> Is it really necessary to have this option set to yes when using
> Keberos authentication?

No, GSSAPI authentication does not need PasswordAuthentication, of
course it requires valid kerberos credentials on the client and a valid
keytab on the server.

Simo.

--
Simo Sorce * Red Hat, Inc * New York




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to