Thanks for that. From what I've read there is no simple right answer. In 2013 
RedHat itself says to leave ChallengeResponseAuthentication set to no "due to 
security reasons".

Setting PasswordAuthentication yes seems to leave all the other settings within 
thee sshd_config file like "PermitRootLogin without-password" which may be 
overridden elsewhere if ChallengeResponseAuthentication is set to yes


-----Original Message-----
From: Simo Sorce [] 
Sent: 25 February 2016 15:01
To: Terry John
Subject: Re: [Freeipa-users] 14: No supported authentication methods available

On Thu, 2016-02-25 at 14:36 +0000, Terry John wrote:
> This turned out to be a setting in /etc/ssh/sshd_config which gets 
> overridden by ipa-client-install. Needed to un-comment
> PasswordAuthentication yes

This is disabled because we enable ChallengeResponseAuthentication which is a 
superset of PasswordAuthentication.

PasswordAuthentication can't deal with PAM prompts, it is a oneshot only option 
(ie fails if PAM asks you to make a pasword change), while 
ChallengeResponseAuthentication is the more modern method that properly deals 
with PAM prompts.

You should prefer ChallengeResponseAuthentication over PasswordAuthentication.


> Terry
> From: 
> [] On Behalf Of Terry John
> Sent: 18 February 2016 11:41
> To:
> Subject: [Freeipa-users] 14: No supported authentication methods 
> available
> I have an AWS instance running Centos 6.7 correctly configured for freeipa 
> but I needed to make a backup machine which would remain live.
> I created a clone of the machine and changed the host name and the settings 
> in /etc/hosts. When I tried to run ipa-client-install it told me to run the 
> uninstall which I did. This had the worrying effect of not being able to log 
> into my original live server but thankfully after a while it came good. I 
> don't know why.
> Back on the new server I ran 'ipa-client-install --enable-dns-updates 
> -mkhomedir' and it seemed to run ok. The host was created on the freeipa GUI 
> and I added it to the same host group as the original server. But when I try 
> to log in via SSH I get the error 'No supported authentication methods 
> available'. I do have root access via the AWS Key file.
> As far as I can tell all the relevant settings seem the same between the two 
> servers but one works and the other doesn't. I can kinit and klist using my 
> freeipa account. 'getent netgroup my-servergroup' works fine.
> I can't seem to find anything relevant in the sssd logs and 
> /var/log/secure just give me the same error of no supported 
> authentication methods available
> I have noticed in /var/log/messages when I restart sssd and error 
> which may be relevant but can't find anything useful so far
> sssd[be[]]: dereference processing failed : Input/output 
> error
> Thanks
> Terry
> The Manheim group of companies within the UK comprises: Manheim Europe 
> Limited (registered number: 03183918), Manheim Auctions Limited (registered 
> number: 00448761), Manheim Retail Services Limited (registered number: 
> 02838588), Limited (registered number: 05975777), Real Time 
> Communications Limited (registered number: 04277845) and Complete Automotive 
> Solutions Limited (registered number: 05302535). Each of these companies is 
> registered in England and Wales with the registered office address of Central 
> House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies 
> operates under various brand/trading names including Manheim Inspection 
> Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim 
> Aftersales Solutions.
> V:0CF72C13B2AC
> --
> Manage your subscription for the Freeipa-users mailing list:
> Go to for more info on the project

Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to