Hi,

I have two hosts, "photon" and "hadron", and an LDAP user "roberto".
The user can login successfully on both machines.

The SSH pub key is uploaded
.
Running "sss_ssh_authorizedkeys roberto" from both clients returns the same
key.

Port 22 is open on both clients, sshd is running on both clients.

On both client, /etc/ssh/ssh_config is:
Host *
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
PubkeyAuthentication yes
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
GSSAPIAuthentication yes

On both clients, /etc/ssh/sshs_config is:
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
AuthorizedKeysCommandUser nobody


However, ssh from hadron to photon works, the other way around doesn't:

roberto@photon $ ssh -vv hadron
OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
22 hadron
debug1: permanently_drop_suid: 1172000006
debug1: identity file /home/roberto/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/roberto/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/roberto/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/roberto/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/roberto/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/roberto/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/roberto/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/roberto/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
*ssh_exchange_identification: Connection closed by remote host*


If I include a few other cases, this is the summary:
- photon to hadron FAILS
- photon to photon SUCCEEDS
- photon to ipa server SUCCEEDS
- photon to (non-ipa-client) FAILS before asking password (no keypair
suthentication expected here)

- hadron to photon SUCCEEDS
- hadron to hadron FAILS
- hadron to ipa server SUCCEEDS
- hadron to (non-ipa-client) FAILS before asking password (no keypair
suthentication expected here)

I know that the error above is quite generic, so I don't expect someone can
point out the exact cause, but perhaps someone can help me debug this? What
could I look at?

Thanks,
Roberto
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to