Yogesh Sharma wrote: > Hi, > > We are getting error while trying to ssh using users created in IPA server. > > root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94
You don't have a Kerberos ticket and you don't have ssh keys for this user. kinit cm8158 first or get the ssh keys. You'll need to use the FQDN of the host as well, rather than th IP address, if using Kerberos. rob > <mailto:cm8158@52.74.84.94> > OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 19: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to 52.74.84.94 [52.74.84.94] port 22. > debug1: Connection established. > debug1: permanently_set_uid: 0/0 > debug3: Incorrect RSA1 identifier > debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key > debug1: identity file /root/.ssh/id_rsa type 1 > debug1: identity file /root/.ssh/id_rsa-cert type -1 > debug1: identity file /root/.ssh/id_dsa type -1 > debug1: identity file /root/.ssh/id_dsa-cert type -1 > debug1: identity file /root/.ssh/id_ecdsa type -1 > debug1: identity file /root/.ssh/id_ecdsa-cert type -1 > debug1: identity file /root/.ssh/id_ed25519 type -1 > debug1: identity file /root/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 > debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 > debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 > debug2: fd 3 setting O_NONBLOCK > debug3: load_hostkeys: loading entries for host "52.74.84.94" from file > "/root/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:89 > debug3: load_hostkeys: loaded 1 keys > debug3: order_hostkeyalgs: prefer hostkeyalgs: > ssh-rsa-cert-...@openssh.com > <mailto:ssh-rsa-cert-...@openssh.com>,ssh-rsa-cert-...@openssh.com > <mailto:ssh-rsa-cert-...@openssh.com>,ssh-rsa > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: curve25519-sha...@libssh.org > <mailto:curve25519-sha...@libssh.org>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com > <mailto:ssh-rsa-cert-...@openssh.com>,ssh-rsa-cert-...@openssh.com > <mailto:ssh-rsa-cert-...@openssh.com>,ssh-rsa,ecdsa-sha2-nistp256-cert-...@openssh.com > <mailto:ecdsa-sha2-nistp256-cert-...@openssh.com>,ecdsa-sha2-nistp384-cert-...@openssh.com > <mailto:ecdsa-sha2-nistp384-cert-...@openssh.com>,ecdsa-sha2-nistp521-cert-...@openssh.com > <mailto:ecdsa-sha2-nistp521-cert-...@openssh.com>,ssh-ed25519-cert-...@openssh.com > <mailto:ssh-ed25519-cert-...@openssh.com>,ssh-dss-cert-...@openssh.com > <mailto:ssh-dss-cert-...@openssh.com>,ssh-dss-cert-...@openssh.com > <mailto:ssh-dss-cert-...@openssh.com>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com > <mailto:aes128-...@openssh.com>,aes256-...@openssh.com > <mailto:aes256-...@openssh.com>,chacha20-poly1...@openssh.com > <mailto:chacha20-poly1...@openssh.com>,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > <mailto:rijndael-...@lysator.liu.se> > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com > <mailto:aes128-...@openssh.com>,aes256-...@openssh.com > <mailto:aes256-...@openssh.com>,chacha20-poly1...@openssh.com > <mailto:chacha20-poly1...@openssh.com>,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > <mailto:rijndael-...@lysator.liu.se> > debug2: kex_parse_kexinit: hmac-md5-...@openssh.com > <mailto:hmac-md5-...@openssh.com>,hmac-sha1-...@openssh.com > <mailto:hmac-sha1-...@openssh.com>,umac-64-...@openssh.com > <mailto:umac-64-...@openssh.com>,umac-128-...@openssh.com > <mailto:umac-128-...@openssh.com>,hmac-sha2-256-...@openssh.com > <mailto:hmac-sha2-256-...@openssh.com>,hmac-sha2-512-...@openssh.com > <mailto:hmac-sha2-512-...@openssh.com>,hmac-ripemd160-...@openssh.com > <mailto:hmac-ripemd160-...@openssh.com>,hmac-sha1-96-...@openssh.com > <mailto:hmac-sha1-96-...@openssh.com>,hmac-md5-96-...@openssh.com > <mailto:hmac-md5-96-...@openssh.com>,hmac-md5,hmac-sha1,umac...@openssh.com > <mailto:umac...@openssh.com>,umac-...@openssh.com > <mailto:umac-...@openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com > <mailto:hmac-ripemd...@openssh.com>,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5-...@openssh.com > <mailto:hmac-md5-...@openssh.com>,hmac-sha1-...@openssh.com > <mailto:hmac-sha1-...@openssh.com>,umac-64-...@openssh.com > <mailto:umac-64-...@openssh.com>,umac-128-...@openssh.com > <mailto:umac-128-...@openssh.com>,hmac-sha2-256-...@openssh.com > <mailto:hmac-sha2-256-...@openssh.com>,hmac-sha2-512-...@openssh.com > <mailto:hmac-sha2-512-...@openssh.com>,hmac-ripemd160-...@openssh.com > <mailto:hmac-ripemd160-...@openssh.com>,hmac-sha1-96-...@openssh.com > <mailto:hmac-sha1-96-...@openssh.com>,hmac-md5-96-...@openssh.com > <mailto:hmac-md5-96-...@openssh.com>,hmac-md5,hmac-sha1,umac...@openssh.com > <mailto:umac...@openssh.com>,umac-...@openssh.com > <mailto:umac-...@openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com > <mailto:hmac-ripemd...@openssh.com>,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,z...@openssh.com > <mailto:z...@openssh.com>,zlib > debug2: kex_parse_kexinit: none,z...@openssh.com > <mailto:z...@openssh.com>,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > <mailto:rijndael-...@lysator.liu.se> > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > <mailto:rijndael-...@lysator.liu.se> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com > <mailto:umac...@openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com > <mailto:hmac-ripemd...@openssh.com>,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com > <mailto:umac...@openssh.com>,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com > <mailto:hmac-ripemd...@openssh.com>,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,z...@openssh.com <mailto:z...@openssh.com> > debug2: kex_parse_kexinit: none,z...@openssh.com <mailto:z...@openssh.com> > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: setup hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: setup hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug2: bits set: 1584/3072 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Server host key: RSA 05:d1:fd:ee:1a:64:fd:6b:ec:a5:ac:66:34:6f:61:e7 > debug3: load_hostkeys: loading entries for host "52.74.84.94" from file > "/root/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:89 > debug3: load_hostkeys: loaded 1 keys > debug1: Host '52.74.84.94' is known and matches the RSA host key. > debug1: Found key in /root/.ssh/known_hosts:89 > debug2: bits set: 1540/3072 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /root/.ssh/id_rsa (0x7f5d62f2cd10), > debug2: key: /root/.ssh/id_dsa ((nil)), > debug2: key: /root/.ssh/id_ecdsa ((nil)), > debug2: key: /root/.ssh/id_ed25519 ((nil)), > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic > debug3: preferred > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more information > No Kerberos credentials available > > debug1: Unspecified GSS failure. Minor code may provide more information > No Kerberos credentials available > > debug1: Unspecified GSS failure. Minor code may provide more information > > > debug1: Unspecified GSS failure. Minor code may provide more information > No Kerberos credentials available > > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /root/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic > debug1: Trying private key: /root/.ssh/id_dsa > debug3: no such identity: /root/.ssh/id_dsa: No such file or directory > debug1: Trying private key: /root/.ssh/id_ecdsa > debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory > debug1: Trying private key: /root/.ssh/id_ed25519 > debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory > debug2: we did not send a packet, disable method > debug1: No more authentication methods to try. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). > > > > > Below is the audit.log > > type=CRYPTO_KEY_USER msg=audit(1427364618.180:2624): user pid=11570 > uid=0 auid=500 ses=328 msg='op=destroy kind=server > fp=05:d1:fd:ee:1a:64:fd:6b:ec:a5:ac:66:34:6f:61:e7 direction=? > spid=11570 suid=0 exe="/usr/sbin/sshd" hostname=? addr=61.16.237.50 > terminal=? res=success' > type=CRYPTO_KEY_USER msg=audit(1427364618.181:2625): user pid=11570 > uid=0 auid=500 ses=328 msg='op=destroy kind=server > fp=91:ae:3f:fc:6e:5e:ec:76:8f:00:50:ee:c0:1d:c4:dc direction=? > spid=11570 suid=0 exe="/usr/sbin/sshd" hostname=? addr=61.16.237.50 > terminal=? res=success' > type=CRYPTO_SESSION msg=audit(1427364618.261:2626): user pid=11569 uid=0 > auid=500 ses=328 msg='op=start direction=from-client cipher=aes128-ctr > ksize=128 spid=11570 suid=74 rport=50263 laddr=20.0.0.159 lport=22 > exe="/usr/sbin/sshd" hostname=? addr=61.16.237.50 terminal=? res=success' > type=CRYPTO_SESSION msg=audit(1427364618.261:2627): user pid=11569 uid=0 > auid=500 ses=328 msg='op=start direction=from-server cipher=aes128-ctr > ksize=128 spid=11570 suid=74 rport=50263 laddr=20.0.0.159 lport=22 > exe="/usr/sbin/sshd" hostname=? addr=61.16.237.50 terminal=? res=success' > type=USER_AUTH msg=audit(1427364618.913:2628): user pid=11569 uid=0 > auid=500 ses=328 msg='op=pubkey acct="cm8158" exe="/usr/sbin/sshd" > hostname=? addr=61.16.237.50 terminal=ssh res=failed' > type=CRYPTO_KEY_USER msg=audit(1427364618.993:2629): user pid=11569 > uid=0 auid=500 ses=328 msg='op=destroy kind=session fp=? direction=both > spid=11570 suid=74 rport=50263 laddr=20.0.0.159 lport=22 > exe="/usr/sbin/sshd" hostname=? addr=61.16.237.50 terminal=? res=success' > type=USER_ERR msg=audit(1427364618.993:2630): user pid=11569 uid=0 > auid=500 ses=328 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" > hostname=61.16.237.50 addr=61.16.237.50 terminal=ssh res=failed' > type=CRYPTO_KEY_USER msg=audit(1427364618.993:2631): user pid=11569 > uid=0 auid=500 ses=328 msg='op=destroy kind=server > fp=05:d1:fd:ee:1a:64:fd:6b:ec:a5:ac:66:34:6f:61:e7 direction=? > spid=11569 suid=0 exe="/usr/sbin/sshd" hostname=? addr=61.16.237.50 > terminal=? res=success' > type=CRYPTO_KEY_USER msg=audit(1427364618.993:2632): user pid=11569 > uid=0 auid=500 ses=328 msg='op=destroy kind=server > fp=91:ae:3f:fc:6e:5e:ec:76:8f:00:50:ee:c0:1d:c4:dc direction=? > spid=11569 suid=0 exe="/usr/sbin/sshd" hostname=? addr=61.16.237.50 > terminal=? res=success' > type=USER_LOGIN msg=audit(1427364618.994:2633): user pid=11569 uid=0 > auid=500 ses=328 msg='op=login acct="cm8158" exe="/usr/sbin/sshd" > hostname=? addr=61.16.237.50 terminal=ssh res=failed' > > > > Secure log: > > Mar 26 10:11:58 ldap-inf-stg-sg1-01 sshd[11575]: reverse mapping > checking getaddrinfo for del-static-50-237-16-61.direct.net.in > <http://del-static-50-237-16-61.direct.net.in> [61.16.237.50] failed - > POSSIBLE BREAK-IN ATTEMPT! > Mar 26 10:11:58 ldap-inf-stg-sg1-01 sshd[11576]: Connection closed by > 61.16.237.50 > > / > Best Regards, > __________________________________________ > / > /Yogesh Sharma > / > /Email: yks0...@gmail.com <mailto:yks0...@gmail.com> | Web: www.initd.in > <http://www.initd.in>/ > > RHCE, VCE-CIA, RackSpace Cloud U > My LinkedIn Profile <http://in.linkedin.com/in/yks0000> > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
