Hello.
I've encountered an issue with ssh login to freeipa clients in trusted environment. getent/id commands working as expected, but password/publickey auth for user from ipa or AD domain does not work (gssapi works, by the way)
Seems like sss_ssh_authorizedkeys not working properly in this case.

$ getent passwd admin
admin:*:217600000:217600000:Administrator:/home/admin:/bin/bash

$ getent passwd admin@cloud
admin:*:217600000:217600000:Administrator:/home/admin:/bin/bash

$ getent passwd Administrator@zone.local
administrator@zone.local:*:1742600500:1742600500:Administrator:/home/zone.local/administrator:/bin/bash

Establishing connection:
$ ssh -l admin@CLOUD 192.168.13.103 -i key.openssh
Received disconnect from 192.168.13.103: 2: Too many authentication failures for admin@CLOUD

Here's the log of connection:
/var/log/secure
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 Disconnecting: Too many authentication failures for admin@CLOUD [preauth]

Trying to get the public key manually:
$ /usr/bin/sss_ssh_authorizedkeys admin@CLOUD
ssh-rsa AAAAB3NzaC~~

$ /usr/bin/sss_ssh_authorizedkeys admin
Error looking up public keys


Trying to connect with password auth:
$ ssh -l admin@CLOUD 192.168.13.103
admin@CLOUD@192.168.13.103's password:
X11 forwarding request failed on channel 0
Connection to 192.168.13.103 closed by remote host.
Connection to 192.168.13.103 closed.

/var/log/secure
error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.13.106 user=admin@CLOUD pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.13.106 user=admin@CLOUD
Accepted password for admin@CLOUD from 192.168.13.106 port 63054 ssh2
pam_unix(sshd:session): session opened for user admin@CLOUD by (uid=0)
fatal: login_init_entry: Cannot find user "admin"
pam_unix(sshd:session): session closed for user admin@CLOUD
fatal: login_init_entry: Cannot find user "admin"
fatal: mm_request_send: write: Broken pipe
Connection closed by 192.168.13.106 [preauth]

Auth succeeded, but login failed.


Versions:
Centos  7.1.1503
sssd    1.12.2
freeipa 4.1.0

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to