Hmm, please forgive me. It appears that sshd was NOT running on hadron. I HAD checked before, but ... I don't know... a big ball of wibbily wobbly timey wimey...stuff must have happened.
Sorry for the waste of time. On 28 August 2015 at 17:10, Roberto Cornacchia <roberto.cornacc...@gmail.com > wrote: > Hi, > > I have two hosts, "photon" and "hadron", and an LDAP user "roberto". > The user can login successfully on both machines. > > The SSH pub key is uploaded > . > Running "sss_ssh_authorizedkeys roberto" from both clients returns the > same key. > > Port 22 is open on both clients, sshd is running on both clients. > > On both client, /etc/ssh/ssh_config is: > Host * > GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts > PubkeyAuthentication yes > ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h > GSSAPIAuthentication yes > > On both clients, /etc/ssh/sshs_config is: > KerberosAuthentication no > PubkeyAuthentication yes > UsePAM yes > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > GSSAPIAuthentication yes > AuthorizedKeysCommandUser nobody > > > However, ssh from hadron to photon works, the other way around doesn't: > > roberto@photon $ ssh -vv hadron > OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 56: Applying options for * > debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p > 22 hadron > debug1: permanently_drop_suid: 1172000006 > debug1: identity file /home/roberto/.ssh/id_rsa type 1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/roberto/.ssh/id_rsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/roberto/.ssh/id_dsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/roberto/.ssh/id_dsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/roberto/.ssh/id_ecdsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/roberto/.ssh/id_ecdsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/roberto/.ssh/id_ed25519 type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/roberto/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.9 > *ssh_exchange_identification: Connection closed by remote host* > > > If I include a few other cases, this is the summary: > - photon to hadron FAILS > - photon to photon SUCCEEDS > - photon to ipa server SUCCEEDS > - photon to (non-ipa-client) FAILS before asking password (no keypair > suthentication expected here) > > - hadron to photon SUCCEEDS > - hadron to hadron FAILS > - hadron to ipa server SUCCEEDS > - hadron to (non-ipa-client) FAILS before asking password (no keypair > suthentication expected here) > > I know that the error above is quite generic, so I don't expect someone > can point out the exact cause, but perhaps someone can help me debug this? > What could I look at? > > Thanks, > Roberto >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project