Thank you Lukas. The issue , not being able to login to some servers in our setup with ssh keys, was due to incorrect permissions on /usr directory,per the following entry in /var/log/secure.
*sshd: error: bad ownership or modes for AuthorizedKeysCommand path component "/usr"* After setting up the permissions for /usr to 755, I was able to login to these servers with ssh private keys. Thank you again,Lukas, for your help. Regards Venkataramana On Fri, Sep 16, 2016 at 11:51 AM, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (15/09/16 11:46), Venkataramana Kintali wrote: > >Hi Lukas, > >ssh_config is also same on all servers. > >Our need is to do it both ways, to be able to login with ssh public > >keys(uploaded in IPA) and disable password login, and be able to access > >allhosts within the same IPA domain silently from any host. > >Hoping the configs will help, I am including the configurations here. > > > >ssh_config file : http://pastebin.com/MWHyH1Qw > >sshd_config file: http://pastebin.com/gpn5XhXM > >sssd_config file: http://pastebin.com/5Pby6xKp > > > Looks good to me > > >I just used some placeholders for sssd_config file in pastebin instead of > >actual values. > > > > In initial mail you wrote: > >I am able to login to some IPA clients but not able to login to other IPA > >clients with putty using private key and passphrase. > Therefore your previous test case is wrong. > If you want to test authentication with public keys > then you cannot obtain krb5 ticket with kinit. > > I would also recommend to call kdestory before > authentication with ssh to be sure that gssapi > authentication will not be used. > > I would recomment to set "debug_level = 7" in domain and ssh section > on the server where you woudl like to authenticate. > then restart sssd and try to authenticate with ssh + verbose mode > e.g. ssh -v u...@remote.host > > Then I would recommend to compare logs from working server > and from broken server. > > LS >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project