Hi, I have two hosts, "photon" and "hadron", and an LDAP user "roberto". The user can login successfully on both machines.
The SSH pub key is uploaded . Running "sss_ssh_authorizedkeys roberto" from both clients returns the same key. Port 22 is open on both clients, sshd is running on both clients. On both client, /etc/ssh/ssh_config is: Host * GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts PubkeyAuthentication yes ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h GSSAPIAuthentication yes On both clients, /etc/ssh/sshs_config is: KerberosAuthentication no PubkeyAuthentication yes UsePAM yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys GSSAPIAuthentication yes AuthorizedKeysCommandUser nobody However, ssh from hadron to photon works, the other way around doesn't: roberto@photon $ ssh -vv hadron OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 hadron debug1: permanently_drop_suid: 1172000006 debug1: identity file /home/roberto/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/roberto/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.9 *ssh_exchange_identification: Connection closed by remote host* If I include a few other cases, this is the summary: - photon to hadron FAILS - photon to photon SUCCEEDS - photon to ipa server SUCCEEDS - photon to (non-ipa-client) FAILS before asking password (no keypair suthentication expected here) - hadron to photon SUCCEEDS - hadron to hadron FAILS - hadron to ipa server SUCCEEDS - hadron to (non-ipa-client) FAILS before asking password (no keypair suthentication expected here) I know that the error above is quite generic, so I don't expect someone can point out the exact cause, but perhaps someone can help me debug this? What could I look at? Thanks, Roberto
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
