Thanks for that. From what I've read there is no simple right answer. In 2013 RedHat itself says to leave ChallengeResponseAuthentication set to no "due to security reasons".
https://access.redhat.com/solutions/336773 Setting PasswordAuthentication yes seems to leave all the other settings within thee sshd_config file like "PermitRootLogin without-password" which may be overridden elsewhere if ChallengeResponseAuthentication is set to yes Terry -----Original Message----- From: Simo Sorce [mailto:s...@redhat.com] Sent: 25 February 2016 15:01 To: Terry John Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] 14: No supported authentication methods available On Thu, 2016-02-25 at 14:36 +0000, Terry John wrote: > This turned out to be a setting in /etc/ssh/sshd_config which gets > overridden by ipa-client-install. Needed to un-comment > > PasswordAuthentication yes This is disabled because we enable ChallengeResponseAuthentication which is a superset of PasswordAuthentication. PasswordAuthentication can't deal with PAM prompts, it is a oneshot only option (ie fails if PAM asks you to make a pasword change), while ChallengeResponseAuthentication is the more modern method that properly deals with PAM prompts. You should prefer ChallengeResponseAuthentication over PasswordAuthentication. HTH, Simo. > Terry > > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Terry John > Sent: 18 February 2016 11:41 > To: freeipa-users@redhat.com > Subject: [Freeipa-users] 14: No supported authentication methods > available > > I have an AWS instance running Centos 6.7 correctly configured for freeipa > but I needed to make a backup machine which would remain live. > > I created a clone of the machine and changed the host name and the settings > in /etc/hosts. When I tried to run ipa-client-install it told me to run the > uninstall which I did. This had the worrying effect of not being able to log > into my original live server but thankfully after a while it came good. I > don't know why. > > Back on the new server I ran 'ipa-client-install --enable-dns-updates > -mkhomedir' and it seemed to run ok. The host was created on the freeipa GUI > and I added it to the same host group as the original server. But when I try > to log in via SSH I get the error 'No supported authentication methods > available'. I do have root access via the AWS Key file. > > As far as I can tell all the relevant settings seem the same between the two > servers but one works and the other doesn't. I can kinit and klist using my > freeipa account. 'getent netgroup my-servergroup' works fine. > > I can't seem to find anything relevant in the sssd logs and > /var/log/secure just give me the same error of no supported > authentication methods available > > I have noticed in /var/log/messages when I restart sssd and error > which may be relevant but can't find anything useful so far > > sssd[be[my.domain.net]]: dereference processing failed : Input/output > error > > Thanks > > Terry > > > > The Manheim group of companies within the UK comprises: Manheim Europe > Limited (registered number: 03183918), Manheim Auctions Limited (registered > number: 00448761), Manheim Retail Services Limited (registered number: > 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time > Communications Limited (registered number: 04277845) and Complete Automotive > Solutions Limited (registered number: 05302535). Each of these companies is > registered in England and Wales with the registered office address of Central > House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies > operates under various brand/trading names including Manheim Inspection > Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim > Aftersales Solutions. > > V:0CF72C13B2AC > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
